On 17/01/2011 11:38, Gáspár Lajos wrote:
> Hi,
>
> 2011-01-17 11:16 keltezéssel, GMail Isaac Gonzalez írta:
>> Hi,
>>
>
>> I've doing some testing and seems that iptables only do SNAT on NEW 
>> connections, and I need to change the ip address of replied packets. 
>> Anybody know some workaround? If anobody do not know some workaround 
>> can you confirm that it's not posible to do this with iptables?
>
> read again the NAT part in the manual:
> man iptables
>
> nat table:
>               nat:
>                   This table is consulted when a packet that creates a 
> new connection is encountered.  It consists of three built-ins: 
> PREROUTING (for altering packets as soon as they come in), OUTPUT 
> (for  altering  locally-gener-
>                   ated packets before routing), and POSTROUTING (for 
> altering packets as they are about to go out).
>
> DNAT target:
>
>    DNAT
>        This  target  is  only valid in the nat table, in the 
> PREROUTING and OUTPUT chains, and user-defined chains which are only 
> called from those chains.  It specifies that the destination address 
> of the packet should be modified
>        (and all future packets in this connection will also be 
> mangled), and rules should cease being examined.  It takes one type of 
> option:
>
> SNAT target:
>
>    SNAT
>        This target is only valid in the nat table, in the POSTROUTING 
> chain.  It specifies that the source address of the packet should be 
> modified (and all future packets in this connection will also be 
> mangled), and rules  should
>        cease being examined.  It takes one type of option:
>
>
>> I've tried the next ip tables rules and only work when I do NEW 
>> connections from the web server.
>>
>> -A POSTROUTING -o br0 -s WE_SERVER_ADDR -p tcp -m tcp --sport 80 
>> --dport 1024:65535 -j SNAT --to-source LOAD_BALANCER_ADDR
>>
>> Thanks in advance.
>>
>> Isaac González
>>
>
> You should do all of the NAT-ing ON THE LOAD BALANCER:
>

I have to agree - if you are doing NAT you want to avoid any type of 
asymmetric routing - especially you NEED to make sure that the device 
that is doing the NAT (be it for load balancing or other reasons) 
receives the return packets. You cannot keep a TCP connection going if 
there is not some sort of state information being shared between the 
devices otherwise.

-- 
Best Regards,

Giles Coochey
NetSecSpec Ltd
NL T-Systems Mobile: +31 681 265 086
NL Mobile: +31 626 508 131
Gib Mobile: +350 5401 6693
Email/MSN/Live Messenger: giles@coochey.net
Skype: gilescoochey