From: Josh Cepek <josh.cepek@usa.net>
To: David Sparks <dave@ca.sophos.com>
Cc: netfilter@vger.kernel.org
Subject: Re: DNAT multiple --to-destination gone: why?
Date: Thu, 10 Jul 2008 00:13:22 -0500 [thread overview]
Message-ID: <48759A72.9030503@usa.net> (raw)
In-Reply-To: <487558AC.8080704@ca.sophos.com>
[-- Attachment #1: Type: text/plain, Size: 2175 bytes --]
David Sparks wrote:
> According to man iptables:
>
> DNAT...
> In Kernels up to 2.6.10 you can add several
> --to-destination
> options. For those kernels, if you specify more than
> one desti-
> nation address, either via an address range or
> multiple --to-
> destination options, a simple round-robin (one after
> another in
> cycle) load balancing takes place between these
> addresses.
> Later Kernels (>= 2.6.11-rc1) don't have the ability
> to NAT to
> multiple ranges anymore.
>
> I'm wondering why this feature was removed?
I don't have an answer for this, although perhaps others do.
> What are the workarounds/alternatives?
>
> The reason I ask is that I'm using the range feature to DNAT packets
> round-robin to 5 machines (.101-.105). .103 just had a hard drive
> failure and when I went to remove it from the iptables config I find I
> can't do that anymore as the feature was removed! I've worked around
> the problem by re-IPing a machine but I'm wondering if there is a
> iptables solution to this so I'll be better prepared in future?
Here's a workaround that might do what you seek. Optionally, you might
consider a DNS-RR instead if it makes sense for your needs.
With the statistic match you can create a round-robin that targets each
rule in turn. To do what you seek above you could use this series of
rules, with your own additional matches added as required:
iptables -A PREROUTING -t nat -m statistic --mode nth --every 2 -j DNAT
10.0.0.101-102
iptables -A PREROUTING -t nat -j DNAT 10.0.0.104-105
This is conceptually the same (but simpler than) the following series of
rules:
iptables -A PREROUTING -t nat -m statistic --mode nth --every 4 -j DNAT
10.0.0.101
iptables -A PREROUTING -t nat -m statistic --mode nth --every 3 -j DNAT
10.0.0.102
iptables -A PREROUTING -t nat -m statistic --mode nth --every 2 -j DNAT
10.0.0.104
iptables -A PREROUTING -t nat -j DNAT 10.0.0.105
Of course, you can continue to add more rules as required.
--
Josh
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 197 bytes --]
next prev parent reply other threads:[~2008-07-10 5:13 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-07-10 0:32 DNAT multiple --to-destination gone: why? David Sparks
2008-07-10 5:13 ` Josh Cepek [this message]
2008-07-10 5:39 ` Grant Taylor
2008-07-10 5:52 ` Josh Cepek
2008-07-10 10:03 ` Jan Engelhardt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=48759A72.9030503@usa.net \
--to=josh.cepek@usa.net \
--cc=dave@ca.sophos.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.