-j SNAT

Danny dineshg at hostway.com
Wed Nov 29 07:03:00 CET 2006


Hey !

Its better you dont disclose the IP of your server, and that the site is 
of a bank !

I think you are better of disconnecting the user, if the client's IP has 
changed ! Or have I understood u wrong !

How have you load balanced ?


Hmm ... NATing incoming requests would not help you in future >> digging 
out access logs and tracking HTTP requests.  !!

You should be using LVS with Direct Routing ! [ with arptables ]  + 
ldirectord  [ Long term solution ]


- Danny

Denis wrote:
> Good afternoon everybody.
>
>
> I'm having a problem with a SNAT and wanna know if somebody here can 
> help-me.
>
>
> the issue is as following:
>
>
> I have a Proxy Load Balanced and when my users try to access bank's
> sites on ssl protocol (port 443)
>
> when the connection  is balanced by the two proxy nodes the bank site
> notes that ip source change and the user is disconnected
>
>
> to solve this problem I thinked to do a SNAT on my two nodes as follow
>
> Node 1 (Ip 202.188.94.66)
>
> iptables -t nat -A POSTROUTING -p tcp -o eth1 --dport 443 -j SNAT
> --to-source 202.188.94.68:6001-7000
>
>
> and on Node 2 (IP 202.188.94.67)
>
> iptables -t nat -A POSTROUTING -p tcp -o eth1 --dport 443 -j SNAT
> --to-source 202.188.94.68:7001-8000
>
> so, the connection arrives on the destination translated as have to
> be, but the connection doesn't get established.
>
> This is as the destination machine can't return the package.
>
>
> Some body have any idea to help me?
>
>




More information about the netfilter mailing list