From mboxrd@z Thu Jan  1 00:00:00 1970
From: Lawrence MacIntyre <lpz@ornl.gov>
Date: Fri, 05 Sep 2003 13:50:20 +0000
Subject: Re: [LARTC] port forwarding to different servers with nat
MIME-Version: 1
Content-Type: multipart/mixed; boundary="=-g5hDDZ9u5z4y2SQFtzie"
Message-Id: <marc-lartc-106276994309882@msgid-missing>
List-Id: <lartc.vger.kernel.org>
References: <marc-lartc-106269521803965@msgid-missing>
In-Reply-To: <marc-lartc-106269521803965@msgid-missing>
To: lartc@vger.kernel.org


--=-g5hDDZ9u5z4y2SQFtzie
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

Trepo:

If you will read my post again, you will note that one webserver is
reachable via the normal port 80, and the other by the less-normal port
8080.  Some services work well this way, http and ssh are good
examples. =20

On Thu, 2003-09-04 at 18:35, trepo wrote:
>     If you are in control of the clients accessing the servers, then
> Lawrence MacIntyre <lpz@ornl.gov> is right... otherwise not. The
> clients --unless configured otherwise-- will always look for the requeste=
d
> services on the standard ports (i.e. http on port 80), so if you have
> multiple servers running the same service, you are out of luck. The route=
r
> doing DNAT has no way of telling which server it has to forward to, as al=
l
> requests come in with the same destination IP and the same port.
>=20
>     The case with different services is easier to solve: you set up your
> iptables rulesets to forward the service ports to the appropriate machine=
.
>=20
> iptables -t nat -A PREROUTING -p tcp --dport {service-port} -j DNAT --to
> {server-ip:port}
>=20
> You may replace 'tcp' with 'udp', depending on the protocol used (see the
> iptables manpage).
>=20
> > But how do the return packets get rewritten?
> >
> > iptables -t nat -A POSTROUTING -s wilma -j SNAT --to external
> > iptables -t nat -A POSTROUTING -s fred -j SNAT --to external
> >
> > ...seems wrong. Or does it work just fine? (I can't test it right now,
> > unfortuantely....)
>=20
> No, that's right. The return packets are sent to the requester's address,
> which has never got rewritten along the way... (not at your box, at least
> :) )
>=20
> Please correct me if I'm wrong.
> ----------------------------------------------------------------
> trepo@azet.sk
>=20
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

--=-g5hDDZ9u5z4y2SQFtzie
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQA/WIaPCNjP8rawCW4RAl0RAJ9KtWnXPEK3GmQfRnenTf2yQ7cbXQCdExX9
5XPec58Lc49B1tJI9tQhj64=
=Cpnl
-----END PGP SIGNATURE-----

--=-g5hDDZ9u5z4y2SQFtzie--
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/