Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
|
05-16-2003, 02:39 PM
|
#1
|
Member
Registered: Mar 2003
Distribution: Fedora, Mac OSX
Posts: 362
Rep:
|
iptables DNAT
Hello everyone,
I've got an iptables DNAT configuration on a Linux router that I am using for load balancing two web servers behind it. The rule works perfectly. For reference, this is the rule (note: not my real IP):
iptables -t nat -A PREROUTING -p TCP -d 207.46.249.222 --dport 80 -j DNAT --to 192.168.0.1-192.168.0.2
My question is if anyone knows about the mechanism of choosing which of the two hosts the request from a web client to 207.46.249.222 goes to. Does anyone have any experience with load balancing using this method? I've read some ancient documentation that says that it's completely random, but I was wondering if anyone has experience with this.
Thanks for any input and/or comments.
|
|
|
05-16-2003, 03:00 PM
|
#2
|
Member
Registered: Jan 2003
Location: Poland, Warsaw
Distribution: LFS, Gentoo
Posts: 591
Rep:
|
man iptables!
"If you specify more than one destination address [...] a simple round-robin (one after another in cycle) load balancing takes place between these adresses."
|
|
|
05-16-2003, 03:15 PM
|
#3
|
Member
Registered: Mar 2003
Distribution: Fedora, Mac OSX
Posts: 362
Original Poster
Rep:
|
I don't know what version of the manual you have, but mine (iptables v1.2.5 IPTABLES(8)) doesn't contain that string at all. It wasn't that obvious to me...
|
|
|
05-16-2003, 05:30 PM
|
#4
|
Member
Registered: Jan 2003
Location: Poland, Warsaw
Distribution: LFS, Gentoo
Posts: 591
Rep:
|
iptables v1.2.7a
|
|
|
05-17-2003, 07:32 PM
|
#5
|
Member
Registered: Mar 2003
Distribution: Fedora, Mac OSX
Posts: 362
Original Poster
Rep:
|
Did you upgrade iptables, or are you running RedHat 9? If you upgraded, what method did you use? Upgrading the iptables packages on this particular machine (RedHat 7.3) to 1.2.7 requires upgrades to glibc, which has too many dependancies... I also haven't tried compiling it myself yet. Any help would be greatly appreciated.
|
|
|
05-18-2003, 03:21 AM
|
#6
|
LQ Guru
Registered: Apr 2002
Location: Atlanta
Distribution: Gentoo
Posts: 1,280
Rep:
|
the easiest way by far to upgrade RedHat is to use RHN's up2date, it solves all dependancy problems, tells you what you need to update, let's you choose what you want to update, downloads and installs the packages you choose to update. That's what I use, I guess im a little lazy when it comes to installing software on my own. RHN = redhat network by the way. Oh, it is also best with a highspeed internet connection too if you plan on upgrading big packages.
|
|
|
05-18-2003, 05:41 AM
|
#7
|
Member
Registered: Jan 2003
Location: Poland, Warsaw
Distribution: LFS, Gentoo
Posts: 591
Rep:
|
Quote:
Originally posted by bentz
Did you upgrade iptables, [...] I also haven't tried compiling it myself yet. Any help would be greatly appreciated.
|
Currently I'm running my self-made Linux From Scratch (LFS). Everything is built up from sources. But compiling is not difficult. In most cases you need use only 3 steps "configure" , "make" and "make install". The sources contains the README file which allows you to change defaults like library or final utility location, enable or disable some functionality of the resulting utility etc.
|
|
|
05-18-2003, 05:59 AM
|
#8
|
LQ Newbie
Registered: May 2003
Posts: 5
Rep:
|
i got the same problem i want to DNAT an ip from one box to ip on another box
iptables -t nat -A PREROUTING -p TCP -d 192.110.50.5 --dport 80 -j DNAT --to 192.116.34.6:80
what else i should add to make it work (which route lines i should insert and where )
Thanks...
|
|
|
05-18-2003, 05:59 AM
|
#9
|
LQ Newbie
Registered: May 2003
Posts: 5
Rep:
|
i got the same problem i want to DNAT an ip from one box to ip on another box
iptables -t nat -A PREROUTING -p TCP -d 192.110.50.5 --dport 80 -j DNAT --to 192.116.34.6:80
what else i should add to make it work (which route lines i should insert and where )
Thanks...
|
|
|
05-18-2003, 07:04 AM
|
#10
|
Member
Registered: Jan 2003
Location: Poland, Warsaw
Distribution: LFS, Gentoo
Posts: 591
Rep:
|
Quote:
Originally posted by royality
i got the same problem
|
It is not the same problem
Bentz were asking about load balancing rules.
You are asking about NATting. Your question is not clear since you are trying to forward packets from 192.... to 192.... network. Without information about netmask, eth equipment of the router, current gateway etc no way to help you. But since it is another story create new thread.
|
|
|
05-18-2003, 07:22 AM
|
#11
|
LQ Newbie
Registered: May 2003
Posts: 5
Rep:
|
Yes so i guess its not the same problem .
ok i will explain .
I have 2 boxes
in 2 different isps one of the boxes ip is
212.68.149.95 this ip is blocked to most of the networks .
another ip is on a second box 192.114.144.120 which is open to the world .
i want to redirect the data from 212.68.149.95 using 192.114.144.120 which is open to the world .
(using the 192.114.144.120 on box 2 as the gateway for box1 so it can access the blocked addresses through it"
what i did is : " iptables -t nat -A PREROUTING -d 212.68.149.95 -j DNAT --to-destination 192.114.144.120 "
i even tried to forward just the tcp on port 80
iptables -t nat -A PREROUTING -p tcp -d 212.68.149.95 --dport 80 -j DNAT --to-destination 192.114.144.120:80 "
but its not working (( help me please , is it possible ?
where did i go wrong ? can someone help me to get it working
|
|
|
05-18-2003, 12:24 PM
|
#12
|
Member
Registered: Mar 2003
Distribution: Fedora, Mac OSX
Posts: 362
Original Poster
Rep:
|
Anyway, back to my question!
I am very familiar with RHN, up2date, and compiling software.
Up2date doesn't work because the last version of iptables available for RedHat 7.3 is 1.2.5. up2date doesn't let me upgrade beyond that.
RHN doesn't work in this case because I'm running 7.3, and my currently subscribed channels only pertain to RedHat 7.2. That's okay, I can manually view the RedHat 9 channels and download the rpm for iptables 1.2.7a. However, when I install, it has dependancies on a later version of glibc. This means that glibc, glibc-common, glibc-headers, binutils, rpm (the list goes on) need to be upgraded. I tried upgrading all these packages, but I majorly messed my libraries up: using simply 'ls' with the RedHat 9 version of glibc on redhat 7.3 produced many library errors... I was glad that I was able to reverse all these changes before my system became unbootable.
I could upgrade to a later version of any distro that has iptables 1.2.7a already builtin, but I've never been a believer that fixing a problem in Linux is most effiecintly solved by reinstalling (or even rebooting); there is always a better way.
Or, I could bite the bullet and compile myself. I know that netfilter has tons of hooks into the kernel, and I'd like to touch base with someone who has done this before prior to jumping in with both feet and comprimising my firewall...
Is I was cool and used LFS, I probably wouldn't have any questions; My only choice would be to compile myself.
Lastly, I've read the change log and noticed that iptables 1.2.6 has many man page updates, which could possibly have the info I was looking for in the first place (see second post). Just because my software is out of date, doesn't mean I'm an idiot. I havn't noticed anything in the change logs that indicate that round-robin has been suddenly introduced in the change logs from my version (1.2.5) to the version that dorian33 is running (1.2.7a).
So perhaps for load balancing 1.2.5 and 1.2.7a are equivalent in functionality, but not documentation.
|
|
|
05-18-2003, 05:24 PM
|
#13
|
Member
Registered: Jan 2003
Location: Poland, Warsaw
Distribution: LFS, Gentoo
Posts: 591
Rep:
|
Hi bentz,
I've read your post and I would like to clarify one matter.
Maybe I'm wrong (I've never study netfilter) but AFAIK the version of iptables does not matter. It is only the front-end to the netfilter. You can safely get sources and compile any version against your libraries. So you remove the problem you reach trying binary (rpm) version.
If the kernel version you are using currently is not supporting a filter - you'll just get the error message. Thats all.
But compiling iptables you do not make any changes in the kernel.
|
|
|
05-18-2003, 06:22 PM
|
#14
|
Member
Registered: Mar 2003
Distribution: Fedora, Mac OSX
Posts: 362
Original Poster
Rep:
|
I guess that makes sense. I never considered what portion of it was kernel, and what portion was simply a front end. The system is running a relatively new kernel (2.4.18-27.7) so I imagine it's up to date as far as the netfilter portion is concerned. Thanks for making this crystal clear to me.
It sounds like I should just remove the iptables rpm and recompile the latest iptables myself. That way I can have the latest manual and RTFM for my origional question!
|
|
|
05-19-2003, 08:44 AM
|
#15
|
Member
Registered: Mar 2003
Distribution: Fedora, Mac OSX
Posts: 362
Original Poster
Rep:
|
Welps, I can't upgrade to iptables 1.2.8 (the latest) without glibc 2.3. RedHat only supports up to 2.2.5-43 under RH 7.3. So I guess I'm fuct, I guess I'd have to upgrade my entire OS so I can get those man page updates. It's not worth it.
Thanks for all your insight, dorian33.
|
|
|
All times are GMT -5. The time now is 05:55 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|