From: "Barry A Rich" <barich@trisectrix.com>
To: netfilter@vger.kernel.org
Subject: Port Forwarding
Date: Thu, 28 May 2009 15:50:12 -0400 [thread overview]
Message-ID: <002201c9dfcd$83cd7660$8b686320$@com> (raw)
Our basic configuration load balances connections across two uplink modems.
The IP addressing looks like this:
|-------------| 192.168.4.1 192.168.4.2
192.160.0.1 | eth1 |-------------------------------- Modem 1
LAN ----------------| eth0 |
| eth2 |-------------------------------- Modem 2
|-------------| 192.168.5.1 192.168.5.2
The basic setup for the load balancing is as follows:
iptables -A INPUT -i eth0 -s 192.168.0.0/24 -d 0.0.0.0/0 -j ACCEPT
iptables -A INPUT -i eth1 -s 192.168.4.0/24 -d 0.0.0.0/0 -j ACCEPT
iptables -A INPUT -i eth2 -s 192.168.5.0/24 -d 0.0.0.0/0 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o eth0 -s 192.168.4.1 -d 192.168.0.0/24 -j ACCEPT
iptables -A OUTPUT -o eth0 -s 192.168.5.1 -d 192.168.0.0/24 -j ACCEPT
iptables -A OUTPUT -o eth1 -s 192.168.4.1 -d 0.0.0.0/0 -j ACCEPT
iptables -A OUTPUT -o eth2 -s 192.168.5.1 -d 0.0.0.0/0 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 192.168.4.1
iptables -t nat -A POSTROUTING -o eth2 -j SNAT --to 192.168.5.1
ip route add 192.168.4.2 dev eth1 table uplink1
ip route add default via 192.168.4.1 table uplink1
ip route add 192.168.5.2 dev eth1 table uplink2
ip route add default via 192.168.5.1 table uplink2
ip route add 192.168.4.2 dev eth1
ip route add 192.168.5.2 dev eth2
ip rule add from 192.168.4.1 table uplink1
ip rule add from 192.168.5.1 table uplink2
ip route add default scope global nexthop dev eth1 weight 1 nexthop dev eth2
weight 1
This is all working. Connections are balanced across the uplinks. It turns
out the modems have a TCP control port (5000). The port number cannot be
changed on the modems. I want LAN hosts to be able to connect to both modem
control ports. The port number can be changed on the host software, so I
assigned different ports on the LAN (5000 and 5001) and tried to redirect
the ports as follows:
iptables -t nat -A PREROUTING -p tcp -d 192.168.0.1 --dport 5000 -j DNAT
--to 192.168.4.2:5000
iptables -t nat -A PREROUTING -p tcp -d 192.168.0.1 --dport 5001 -j DNAT
--to 192.168.5.2:5000
It does not work and I'm not sure what's wrong. What is the correct way to
do this?
Thanks.
next reply other threads:[~2009-05-28 19:50 UTC|newest]
Thread overview: 67+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-05-28 19:50 Barry A Rich [this message]
2009-06-05 13:47 ` Port Forwarding Aleksander Kamenik
-- strict thread matches above, loose matches on Subject: below --
2009-10-11 13:56 jen140
2009-10-11 2:00 jen140
2009-10-11 0:30 jen140
2009-10-11 1:36 ` John A. Sullivan III
2009-10-11 8:16 ` Brian Austin - Standard Universal
2009-10-11 8:37 ` Pascal Hambourg
2008-12-12 23:33 Port forwarding Błażej Ślusarek
2008-12-13 16:36 ` Elvir Kuric
2009-02-04 17:48 ` Błażej Ślusarek
2009-02-04 18:38 ` Ivan Petrushev
2007-06-12 15:26 Claudio Scordino
2007-06-12 18:08 ` Linus Torvalds
2007-06-12 18:12 ` Alex Riesen
2006-02-28 13:27 Stian B. Barmen
2005-02-23 8:36 port forwarding DurgaPrasad Adusumalli
2004-11-16 17:01 port Forwarding diadicic
2004-11-16 16:44 diadicic
2004-11-16 16:48 ` Jason Opperisano
2004-10-28 4:30 Port forwarding Mike
2004-10-28 12:50 ` Jason Opperisano
[not found] <20040917135140.AE3C66A5@mail.817west.com>
2004-09-17 13:57 ` Jason Opperisano
2004-09-17 14:09 ` KUCKAERTZ Régis - NVISION
[not found] ` <-4718906956710508172@unknownmsgid>
2004-09-19 10:06 ` Mohamed Eldesoky
[not found] <20040917132253.B6B1E6A5@mail.817west.com>
2004-09-17 13:33 ` Jason Opperisano
2004-09-17 13:52 ` KUCKAERTZ Régis - NVISION
[not found] <20040917123138.EC8FE6A5@mail.817west.com>
2004-09-17 12:55 ` Jason Opperisano
2004-09-17 13:23 ` KUCKAERTZ Régis - NVISION
2004-09-17 12:32 KUCKAERTZ Régis - NVISION
2004-06-28 9:16 Gunnar Frödin
2004-06-28 9:57 ` Antony Stone
2004-06-28 10:18 ` Gunnar Frödin
2004-06-28 10:34 ` Antony Stone
2004-06-28 12:20 ` Gunnar Frödin
2004-06-28 12:52 ` Antony Stone
2004-06-28 13:21 ` Gunnar Frödin
2003-12-04 5:43 Forwarding and masquerading got broken Lawrence G. Hunsicker
2003-12-03 8:26 ` Port Forwarding Remus
2003-12-03 8:44 ` Rob Sterenborg
2003-12-03 8:44 ` Ray Leach
2003-12-03 16:27 ` Mark E. Donaldson
2003-12-03 16:38 ` Rimas
2003-12-03 16:27 Mark E. Donaldson
2003-10-29 2:24 Fritz Mesedilla
2003-10-28 13:12 Babar Kazmi
2003-10-28 12:49 Gaby Schilders
2003-10-27 22:17 Jason Mallory
2003-10-28 10:54 ` Rob Sterenborg
2003-09-26 8:37 Aris Santillan
2003-07-23 6:41 port forwarding George Vieira
2003-07-23 6:06 Sathi
2003-07-23 8:02 ` Nils Juergens
2003-06-05 23:08 Port forwarding George Vieira
2003-06-04 19:53 Question about nfmark Cedric Blancher
2003-06-05 9:48 ` Port forwarding Dhyanesh Ramaiya
2003-06-06 8:15 ` Philip Craig
2003-06-06 10:23 ` Dhyanesh Ramaiya
2003-04-27 9:09 port forwarding Fox
2003-04-27 9:37 ` Rob Sterenborg
2003-04-24 5:58 Port Forwarding Brei, Matt
2003-04-24 17:26 ` Dan Egli
2003-04-24 5:20 Port forwarding Brei, Matt
2002-12-05 20:56 port forwarding Maxim Berlin
2002-12-07 7:16 ` Andrew Smith
2002-12-07 12:11 ` Roy Sigurd Karlsbakk
2002-12-07 13:03 ` Andrew Smith
2002-12-07 13:45 ` Roy Sigurd Karlsbakk
2002-12-07 14:14 ` Andrew Smith
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='002201c9dfcd$83cd7660$8b686320$@com' \
--to=barich@trisectrix.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.