Tom Eastep wrote: > Tom Eastep wrote: >> Lars Erik Dangvard Jensen wrote: >>> Hello list >>> >>> I try this in the configuration: >>> >>> DNAT inet1 dmz2:10.0.1.16-10.0.1.17 >>> tcp PORT - PUBIP >>> >>> The connection keeps going to the last IP address (10.0.1.17) >>> >>> Using shorewall 4.0.4 (perl) and it does not result in round-robin, >>> will it help to upgrade or is the syntax wrong? >> The syntax is correct and it won't help to upgrade; in looking at this, >> I discovered that round-robin is completely broken beginning with 4.0.5 >> (patch for 4.0.5-4.0.7 attached). >> >> I took a quick look at the Netfilter and Netfilter-devel lists and >> didn't see where anyone has reported this being broken in the kernel. So >> the only thing I can suggest is to check the output of "shorewall show >> nat" to be sure that the DNAT rule is being generated correctly. You >> should see something like '..... to:10.0.1.16-10.0.1.17:PORT'. > > Just tried it -- here is an actual (folded) example: > > 0 0 DNAT tcp -- * * 0.0.0.0/0 > 192.168.1.254 tcp dpt:80 to:206.124.146.177-206.124.146.178 > ----------------------------------
One question -- how are you testing this? From a single IP address? Because, all connections from a single IP address will use the same destination IP. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
