Problems with statistic module using mode nth

Linux Netfilter discussions
 help / color / mirror / Atom feed

* Problems with statistic module using mode nth
@ 2008-08-30 11:46 Claudio Cuqui
  0 siblings, 0 replies; only message in thread
From: Claudio Cuqui @ 2008-08-30 11:46 UTC (permalink / raw)
  To: netfilter

Hi there !

I´m facing something weird when using statist module + mode nth. I 
started with a simple rule to balance incoming traffic to 2 differente 
local address:

iptables -t nat -A PREROUTING  -p tcp -d 10.117.4.6 --dport 25 -m state 
--state NEW -m statistic --mode nth  --every 2 --packet 0 -j DNAT 
--to-destination 10.117.4.53:25
iptables -t nat -A PREROUTING  -p tcp -d 10.117.4.6 --dport 25 -m state 
--state NEW -m statistic --mode nth  --every 2 --packet 1 -j DNAT 
--to-destination 10.117.4.54:25

After some tests I  got some "connection refused" messages during my 
tests. I checked the server and everything was fine. Then, I decided to 
add an extra (unnecessary ?) rule:

iptables -t nat -A PREROUTING  -p tcp -d 10.117.4.6 --dport 25 -m state 
--state NEW -j DNAT --to-destination 10.117.4.54:25

So, the final rule set was:
iptables -t nat -A PREROUTING  -p tcp -d 10.117.4.6 --dport 25 -m state 
--state NEW -m statistic --mode nth  --every 2 --packet 0 -j DNAT 
--to-destination 10.117.4.53:25
iptables -t nat -A PREROUTING  -p tcp -d 10.117.4.6 --dport 25 -m state 
--state NEW -m statistic --mode nth  --every 2 --packet 1 -j DNAT 
--to-destination 10.117.4.54:25
iptables -t nat -A PREROUTING  -p tcp -d 10.117.4.6 --dport 25 -m state 
--state NEW -j DNAT --to-destination 10.117.4.54:25

I never expect to see anything hit the 3rd rule. But, after add it, I 
didn´t receive more connection refused messages, and checking the 
counters, I realize that half of packets that should match rule # 2 was 
sent do rule # 3:

Chain PREROUTING (policy ACCEPT 184K packets, 21M bytes)
 pkts bytes target     prot opt in     out     source               
destination
    6   360 DNAT       tcp  --  *      *       0.0.0.0/0            
10.117.4.6          tcp dpt:25 state NEW statistic mode nth every 2 
to:10.117.4.53:25
    3   180 DNAT       tcp  --  *      *       0.0.0.0/0            
10.117.4.6          tcp dpt:25 state NEW statistic mode nth every 2 
packet 1 to:10.117.4.54:25
    3   180 DNAT       tcp  --  *      *       0.0.0.0/0            
10.117.4.6          tcp dpt:25 state NEW to:10.117.4.54:25

Am I doing something wrong here ?

TIA,

Claudio Cuqui



^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2008-08-30 11:46 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-08-30 11:46 Problems with statistic module using mode nth Claudio Cuqui

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox