(D)NAT with IPv6 (was "nf_conntrack & NAT")
rv at wallfire.org
Thu Dec 8 12:41:20 CET 2005
On Wed, Dec 07, 2005 at 04:09:25PM +0100, Jozsef Kadlecsik wrote:
> On Wed, 7 Dec 2005, Herve Eychenne wrote:
> > I don't want to use DNAT for load balancing. I want to use DNAT (and
> > I'm using it just now with IPv4) to redirect traffic destined to a
> > certain IP/port to another IP (private or not) in the most transparent
> > way. There are plenty of scenari where I'm willing to do that.
> > For those who need practical examples (others can stop here) that I'm
> > regularly facing myself, here it is.
> > Then MX of domain points on host A, and I want to redirect SMTP traffic
> > to host B (also in my network) in the most atomic way.
> > DNS propagation can be slow (caching), and user proxying is too slow
> > (and not transparent).
> > If there are miraculous mecanisms in IPv6 which enable to achieve that
> > redirection as atomically and quickly that DNAT, please let me know.
> Yes, use as many IP addresses as you want :-):
> Host A:
> addressA0: maintenance
> addressA1: az advertised SMTP server
> addressA2: az advertised HTTP server
> Host B:
> addressB0: maintenance
> addressB1: az advertised SMTP server
> addressB2: az advertised HTTP server
> If you want to "replace" A as SMTP server by server B, just assign
> addressA1 to server B. That's it. No NAT required at all and it
> is practically atomic.
> (Assumed the same network as you wrote.)
So each time you add a service on a host, you should assign a new IP to it
(and create the respective DNS name for this IP/service couple!), just in
case you may have to redirect its traffic one day? (even if temporary)
Oh my... If IPv6 (without DNAT) really implies that, I can still live with
IPv4 for a (very) long time!
(°= Hervé Eychenne
v_/_ WallFire project: http://www.wallfire.org/
More information about the netfilter-devel