-j SNAT
Danny
dineshg at hostway.com
Wed Nov 29 07:03:00 CET 2006
Hey !
Its better you dont disclose the IP of your server, and that the site is
of a bank !
I think you are better of disconnecting the user, if the client's IP has
changed ! Or have I understood u wrong !
How have you load balanced ?
Hmm ... NATing incoming requests would not help you in future >> digging
out access logs and tracking HTTP requests. !!
You should be using LVS with Direct Routing ! [ with arptables ] +
ldirectord [ Long term solution ]
- Danny
Denis wrote:
> Good afternoon everybody.
>
>
> I'm having a problem with a SNAT and wanna know if somebody here can
> help-me.
>
>
> the issue is as following:
>
>
> I have a Proxy Load Balanced and when my users try to access bank's
> sites on ssl protocol (port 443)
>
> when the connection is balanced by the two proxy nodes the bank site
> notes that ip source change and the user is disconnected
>
>
> to solve this problem I thinked to do a SNAT on my two nodes as follow
>
> Node 1 (Ip 202.188.94.66)
>
> iptables -t nat -A POSTROUTING -p tcp -o eth1 --dport 443 -j SNAT
> --to-source 202.188.94.68:6001-7000
>
>
> and on Node 2 (IP 202.188.94.67)
>
> iptables -t nat -A POSTROUTING -p tcp -o eth1 --dport 443 -j SNAT
> --to-source 202.188.94.68:7001-8000
>
> so, the connection arrives on the destination translated as have to
> be, but the connection doesn't get established.
>
> This is as the destination machine can't return the package.
>
>
> Some body have any idea to help me?
>
>
More information about the netfilter
mailing list