Ruben, >> SNAT >> This target is only valid in the nat table, in the POSTROUTING >> chain. It specifies that the source address of the packet should be >> modified (and all future packets in this connection will also be mangled), >> and rules should cease being examined. It takes one type of option: >> >> --to-source ipaddr[-ipaddr][:port-port] >> which can specify a single new source IP address, an >> inclusive range of IP addresses, and optionally, a port range (which is >> only valid if the rule also speci‐ fies -p tcp or -p udp). If no port >> range is specified, then source ports below 512 will be mapped to other >> ports below 512: those between 512 and 1023 inclu‐ sive will be mapped to >> ports below 1024, and other ports will be mapped to 1024 or above. Where >> possible, no port alteration will >> >> In Kernels up to 2.6.10, you can add several --to-source >> options. For those kernels, if you specify more than one source address, >> either via an address range or multiple --to-source options, a simple >> round-robin (one after another in cycle) takes place between these >> addresses. Later Kernels (>= 2.6.11-rc1) don’t have the ability to NAT to >> multiple ranges anymore. >> >> --random >> If option --random is used then port mapping will be >> randomized (kernel >= 2.6.21). >> > > WIth newer kernels it is indeed impossible to specify multiple --to-source > directives. However, in your diagram you used 1.1.2.2 - 1.1.2.6. This is > a "nice" range for which support still is present. So unless your set of ip > addresses you want to use for SNAT'ing the traffic isn't a nice range, then > the SNAT feature of iptables/netfilter will do the trick just fine. >
Please re-read man page, "In Kernels up to 2.6.10, you can add several --to-source", in newer kernels you can't. In my example I talking about 1 range, but I need to use multiple ranges... Seems that Eric Spiteri (thanks to him) has the best idea, I've test it and it's doing the job : iptables -t nat -A POSTROUTING -m statistic --mode nth --every 3 --packet 0 -j SNAT --to-source 1.1.1.1 iptables -t nat -A POSTROUTING -m statistic --mode nth --every 3 --packet 1 -j SNAT --to-source 1.1.1.2 iptables -t nat -A POSTROUTING -m statistic --mode nth --every 3 --packet 2 -j SNAT --to-source 1.1.1.3 But ! I do a tcpdump on a server "on the internet", and 5 telnet from an internal client, and the client ips saw by the "internet server" are : 1.1.1.1 1.1.1.2 1.1.1.3 10.0.0.10 (the real client ip) 1.1.1.1 So, the round-robin pass in the default gateway sometimes... Graeme Fowler is right, it's an iptables problem, not LVS. -- Greg _______________________________________________ LinuxVirtualServer.org mailing list - [email protected] Send requests to [EMAIL PROTECTED] or go to http://lists.graemef.net/mailman/listinfo/lvs-users
