On Tuesday 05 February 2008, Greg wrote: > Joseph Mack NA3T a écrit : > > nice ascii diagram :-) > > > > Not sure what you're doing yet. I take it that your clients > > are out on the internet. Are the 1.1.2.x machines routers? > > Why are you SNAT'ing on the outside of the director? Why do > > you want to fiddle with the routing of outgoing packets - > > are the routing tables not doing what you want? > > I want to do the staff that LVS do : > internet client ---> LB server with LVS ---> round-robin internal server > NATed > > but in reverse order : > > internal server ---> LB server with round-robin SNAT ip ---> internet > server > > lartc is not able to do this job, lartc is simply routing traffic, so > internal server A will always use route A, and not round-robin around > routes A,B,C,D ... > > > iptables was to do that with SNAT but with kernel up to 2.6.10 : > > SNAT > This target is only valid in the nat table, in the POSTROUTING > chain. It specifies that the source address of the packet should be > modified (and all future packets in this connection will also be mangled), > and rules should cease being examined. It takes one type of option: > > --to-source ipaddr[-ipaddr][:port-port] > which can specify a single new source IP address, an > inclusive range of IP addresses, and optionally, a port range (which is > only valid if the rule also speci‐ fies -p tcp or -p udp). If no port > range is specified, then source ports below 512 will be mapped to other > ports below 512: those between 512 and 1023 inclu‐ sive will be mapped to > ports below 1024, and other ports will be mapped to 1024 or above. Where > possible, no port alteration will > > In Kernels up to 2.6.10, you can add several --to-source > options. For those kernels, if you specify more than one source address, > either via an address range or multiple --to-source options, a simple > round-robin (one after another in cycle) takes place between these > addresses. Later Kernels (>= 2.6.11-rc1) don’t have the ability to NAT to > multiple ranges anymore. > > --random > If option --random is used then port mapping will be > randomized (kernel >= 2.6.21).
WIth newer kernels it is indeed impossible to specify multiple --to-source directives. However, in your diagram you used 1.1.2.2 - 1.1.2.6. This is a "nice" range for which support still is present. So unless your set of ip addresses you want to use for SNAT'ing the traffic isn't a nice range, then the SNAT feature of iptables/netfilter will do the trick just fine. HTH. Regards, -- Ruben Laban Systems and Network Administrator [EMAIL PROTECTED] ISM eCompany Van Nelleweg 1 Postbus 13043 3004 HA Rotterdam +31 (0)10 243 6000 (tel) +31 (0)10 243 6066 (fax) www.ism.nl Quality Solutions - Reliable Partner _______________________________________________ LinuxVirtualServer.org mailing list - [email protected] Send requests to [EMAIL PROTECTED] or go to http://lists.graemef.net/mailman/listinfo/lvs-users
