From: "Gáspár Lajos" <swifty@freemail.hu>
To: Julian Hagenauer <chaosbringer@gmx.de>
Cc: Rob Sterenborg <rob@sterenborg.info>, netfilter@lists.netfilter.org
Subject: Re: Two identical ips connected
Date: Mon, 16 Oct 2006 13:04:33 +0200 [thread overview]
Message-ID: <45336741.5060508@freemail.hu> (raw)
In-Reply-To: <20061016120211.6ab1d49b@vmm1.chaosbringer.de>
Julian Hagenauer írta:
> Hi
>
>
>> If you packet would make it to the router and the router had this configuration:
>> - eth0: 192.168.1.0/24
>> - eth1: 192.168.1.0/24
>> the router cannot distinguish the subnets.
>>
>>
>
> Why so complicated.
> eth0: 192.168.1.4
> eth1: 192.168.1.4
>
>
You can not assign the same ip to both servers.
How would the router route the packets???
If the servers are on the SAME PHYSICAL network then you get an IP
collision and they would deny to talk to the net... (Try this with 2
Winsucks computers... :) )
The routing is based on IP and not on MAC !!!
> (Hostbased routing) would be enough. Sure the router can not distinguish between the IPs, but he could distinguish between the MACs, so would it be possible to do Masquerading based on MAC-Adresses?
>
>
>> But you'd not even get that far.
>> When you send a packet from a client to the server and this server has same IP
>> as the client (thus src and dst IP are the same), then the packet wouldn't
>> even make it to the router: it would be sent to itself.
>>
>
> Mhm, i don't understand that. Let me explain my setup in greater detail:
>
> Server1---------|
> |
> |
> |
> Server2-------Router-------Client
> |
> |
> DB
>
>
Well for this scenario you can set up some load-balancing...
1. With DNS-balancing.
This is not that list ... :)
2. With iptables balancing.
iptables man pages:
"
BALANCE
This allows you to DNAT connections in a round-robin way over a
given range of destination addresses.
--to-destination ipaddr-ipaddr
Address range to round-robin over.
"
"
DNAT
This target is only valid in the nat table, in the PREROUTING and
OUTPUT chains, and user-defined chains which are only called from those
chains. It specifies that the
destination address of the packet should be modified (and all
future packets in this connection will also be mangled), and rules
should cease being examined. It takes
one type of option:
--to-destination [ipaddr][-ipaddr][:port-port]
which can specify a single new destination IP address, an
inclusive range of IP addresses, and optionally, a port range (which is
only valid if the rule also
specifies -p tcp or -p udp). If no port range is
specified, then the destination port will never be modified. If no IP
address is specified then only the desti-
nation port will be modified.
In Kernels up to 2.6.10 you can add several
--to-destination options. For those kernels, if you specify more than
one destination address, either via an address
range or multiple --to-destination options, a simple
round-robin (one after another in cycle) load balancing takes place
between these addresses. Later Kernels
(>= 2.6.11-rc1) don't have the ability to NAT to multiple
ranges anymore.
"
Let assume these settings:
c (client)
192.168.1.52
s (virtual server)
192.168.1.4
s1 (server)
10.0.0.1
s2 (server)
10.0.0.2
s1---------\
|
|
|
s2-------Router-------c
|
|
DB
iptables -t nat -A PREROUTING -j BALANCE -d 192.168.1.4 --to-destination 10.0.0.1-10.0.0.2
iptables -t nat -A POSTROUTING -j SNAT -s 10.0.0.1 --to-source 192.168.1.4
iptables -t nat -A POSTROUTING -j SNAT -s 10.0.0.2 --to-source 192.168.1.4
Maybe this script is useful...
But maybe not... :)
You did not told us what kind of services will be on the servers...
Unfortunately with ftp these rules are not working... :)
> I want that Server 1 and Server2 have the same IP, although only Server1 should be accessible for clients.
> The reason for that is, that i want do some kind of load-balancing.
> The problem is, that both Servers need permanent access to the db, so the router should somehow translate/masquerade the ip of the server2, so that both servers can access the db at the same time.
>
> I know it sound weird :-)
>
>
Just a little bit... :)
> Sincerely,
> Julian
>
Swifty
next prev parent reply other threads:[~2006-10-16 11:04 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-10-16 7:55 Two identical ips connected Julian Hagenauer
2006-10-16 9:41 ` Rob Sterenborg
2006-10-16 10:02 ` Julian Hagenauer
2006-10-16 11:04 ` Gáspár Lajos [this message]
2006-10-16 14:48 ` Nathan @ Netdigix Systems
2006-10-16 17:08 ` Martijn Lievaart
2006-10-26 15:47 ` R. DuFresne
2006-10-17 0:34 ` David Lang
[not found] <200610160944.k9G9iEZi013530@mail3.jubileegroup.co.uk>
2006-10-19 9:35 ` G.W. Haywood
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=45336741.5060508@freemail.hu \
--to=swifty@freemail.hu \
--cc=chaosbringer@gmx.de \
--cc=netfilter@lists.netfilter.org \
--cc=rob@sterenborg.info \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox