From: Danny <dineshg@hostway.com>
To: Denis <denismpa@gmail.com>, netfilter@lists.netfilter.org
Subject: Re: -j SNAT
Date: Wed, 29 Nov 2006 11:33:00 +0530 [thread overview]
Message-ID: <456D2294.3020002@hostway.com> (raw)
In-Reply-To: <e9aeeef80611280920n4cde4f1bj469a15688e28cee2@mail.gmail.com>
Hey !
Its better you dont disclose the IP of your server, and that the site is
of a bank !
I think you are better of disconnecting the user, if the client's IP has
changed ! Or have I understood u wrong !
How have you load balanced ?
Hmm ... NATing incoming requests would not help you in future >> digging
out access logs and tracking HTTP requests. !!
You should be using LVS with Direct Routing ! [ with arptables ] +
ldirectord [ Long term solution ]
- Danny
Denis wrote:
> Good afternoon everybody.
>
>
> I'm having a problem with a SNAT and wanna know if somebody here can
> help-me.
>
>
> the issue is as following:
>
>
> I have a Proxy Load Balanced and when my users try to access bank's
> sites on ssl protocol (port 443)
>
> when the connection is balanced by the two proxy nodes the bank site
> notes that ip source change and the user is disconnected
>
>
> to solve this problem I thinked to do a SNAT on my two nodes as follow
>
> Node 1 (Ip 202.188.94.66)
>
> iptables -t nat -A POSTROUTING -p tcp -o eth1 --dport 443 -j SNAT
> --to-source 202.188.94.68:6001-7000
>
>
> and on Node 2 (IP 202.188.94.67)
>
> iptables -t nat -A POSTROUTING -p tcp -o eth1 --dport 443 -j SNAT
> --to-source 202.188.94.68:7001-8000
>
> so, the connection arrives on the destination translated as have to
> be, but the connection doesn't get established.
>
> This is as the destination machine can't return the package.
>
>
> Some body have any idea to help me?
>
>
next prev parent reply other threads:[~2006-11-29 6:03 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <e9aeeef80611280916r2a6b2ba1w52b65d81a2b0416f@mail.gmail.com>
2006-11-28 17:20 ` -j SNAT Denis
2006-11-29 6:03 ` Danny [this message]
2006-11-29 13:25 ` Denis
2006-11-29 14:07 ` Danny
[not found] ` <e9aeeef80611290846n1d968a5ci16b7d03fafb033ef@mail.gmail.com>
[not found] ` <456E73B3.8050008@hostway.com>
2006-11-30 10:05 ` Denis
2006-12-06 21:30 ` R. DuFresne
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=456D2294.3020002@hostway.com \
--to=dineshg@hostway.com \
--cc=denismpa@gmail.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.