FW: port forwarding and load balancing redux (Repost)
Thu, 14 Sep 2000 12:28:22 -0400
I don't think my last email got through to the list, so I'm
From: Tim Coleman [mailto:firstname.lastname@example.org]
Sent: Thursday, September 14, 2000 9:17 AM
To: Harald Welte
Subject: RE: port forwarding and load balancing redux
> -----Original Message-----
> From: Harald Welte [mailto:email@example.com]
> Sent: Tuesday, October 03, 2000 6:12 AM
> To: Tim Coleman
> Cc: firstname.lastname@example.org
> Subject: Re: port forwarding and load balancing redux
> On Wed, Sep 13, 2000 at 05:30:51PM -0400, Tim Coleman wrote:
> > Just another interesting tidbit in my search for load balancing.
> > I'm doing SNAT so that clients on the local network can talk
> > to the load balanced servers.
> > iptables -t nat -A PREROUTING -p tcp -d 192.168.131.98 --dport 80
> > -j DNAT --to 192.168.131.89 --to 192.168.131.99
> > As I previously mentioned, all the packets go to the first host
> > which isn't so hot.
> > I noticed that if I remove the SNAT rules, packets seem to go
> > out both ways (of course, none of their replies are acknowledged
> > by clients, but it's interesting nonetheless).
> If You insert a DNAT rule, the reply packets should get NATed
> automagically by
> the NAT subsystem. Just think about the semantics of a MASQUERADE rule -
> you only have to insert it once to do alter request AND reply packets.
Not if the server is on the same network as the client. I'm not using
a MASQUERADE rule. From the Linux 2.4 NAT HOWTO:
10. Destination NAT Onto the Same Network
If you are doing portforwarding back onto the same network, you need to
make sure that both future packets and reply packets pass through the
NAT box (so they can be altered). The NAT code will now (since
block the outgoing ICMP redirect which is produced when the NAT'ed packet
heads out the same interface it came in on, but the receiving server will
still try to reply directly to the client (which won't recognize the
The other way is to have the NAT box also map the source IP address to
for these connections, fooling the server into replying through it. In
example, we would do the following (assuming the internal IP address of
NAT box is 192.168.1.250):
# iptables -t nat -A POSTROUTING -d 192.168.1.1 -s 192.168.1.0/24 \
-p tcp --dport 80 -j SNAT --to 192.168.1.250
Because the PREROUTING rule gets run first, the packets will already be
destined for the internal web server: we can tell which ones are
sourced by the source IP addresses.
This is what I'm trying to do with the SNAT rules. It seems that if I
the SNAT rules, each request alternates between the two destination hosts.
If I add them, requests always go to the first one.
I don't think that the POSTROUTING chain should affect the PREROUTING
decision, so I'm at a loss for an explanation.
Putting the Web to Work