RE: [fw-wiz] Load Balancing
From: Daniel Chemko (dchemko_at_smgtec.com)
Date: 11/18/04
- Previous message: Mark Tinberg: "Re: [fw-wiz] Load Balancing"
- Maybe in reply to: Nathaniel Hall: "[fw-wiz] Load Balancing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Mark Tinberg" <mtinberg@securepipe.com>, "Nathaniel Hall" <halln@otc.edu> Date: Thu, 18 Nov 2004 14:34:17 -0800
>I know this is a very easy problem to fix, but I apparently am losing
my
>mind and cannot think.
This question should really be sent to netfilter@lists.netfilter.org but
I'll bite anyways.
Because both computers are on the same subnet, the destination computer
will try to directly send the message to the source machine. This'll
break CONNTRACK in Netfilter, and it'll make the packet path look like a
triangle if it works at all. In roder to fix the problem, you'll need to
SNAT the packet on the server as well as DNAT which you're already
doing.
Eg:
iptables -t nat -A PREROUTING --destination $dstpc_fake -j DNAT --to
$dstpc_real
iptables -t nat -A POSTROUTING --destination $dstpc_real --source
$local_net/$local_msk -j SNAT --to $local_fw_ip
You will loose all the source ip specifications on the detination box,
but it's the only way to properly do it.
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Mark Tinberg: "Re: [fw-wiz] Load Balancing"
- Maybe in reply to: Nathaniel Hall: "[fw-wiz] Load Balancing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
