LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 05-16-2003, 02:39 PM   #1
bentz
Member
 
Registered: Mar 2003
Distribution: Fedora, Mac OSX
Posts: 362

Rep: Reputation: 30
iptables DNAT


Hello everyone,
I've got an iptables DNAT configuration on a Linux router that I am using for load balancing two web servers behind it. The rule works perfectly. For reference, this is the rule (note: not my real IP):

iptables -t nat -A PREROUTING -p TCP -d 207.46.249.222 --dport 80 -j DNAT --to 192.168.0.1-192.168.0.2

My question is if anyone knows about the mechanism of choosing which of the two hosts the request from a web client to 207.46.249.222 goes to. Does anyone have any experience with load balancing using this method? I've read some ancient documentation that says that it's completely random, but I was wondering if anyone has experience with this.

Thanks for any input and/or comments.
 
Old 05-16-2003, 03:00 PM   #2
dorian33
Member
 
Registered: Jan 2003
Location: Poland, Warsaw
Distribution: LFS, Gentoo
Posts: 591

Rep: Reputation: 32
man iptables!
"If you specify more than one destination address [...] a simple round-robin (one after another in cycle) load balancing takes place between these adresses."
 
Old 05-16-2003, 03:15 PM   #3
bentz
Member
 
Registered: Mar 2003
Distribution: Fedora, Mac OSX
Posts: 362

Original Poster
Rep: Reputation: 30
I don't know what version of the manual you have, but mine (iptables v1.2.5 IPTABLES(8)) doesn't contain that string at all. It wasn't that obvious to me...
 
Old 05-16-2003, 05:30 PM   #4
dorian33
Member
 
Registered: Jan 2003
Location: Poland, Warsaw
Distribution: LFS, Gentoo
Posts: 591

Rep: Reputation: 32
iptables v1.2.7a
 
Old 05-17-2003, 07:32 PM   #5
bentz
Member
 
Registered: Mar 2003
Distribution: Fedora, Mac OSX
Posts: 362

Original Poster
Rep: Reputation: 30
Did you upgrade iptables, or are you running RedHat 9? If you upgraded, what method did you use? Upgrading the iptables packages on this particular machine (RedHat 7.3) to 1.2.7 requires upgrades to glibc, which has too many dependancies... I also haven't tried compiling it myself yet. Any help would be greatly appreciated.
 
Old 05-18-2003, 03:21 AM   #6
Robert0380
LQ Guru
 
Registered: Apr 2002
Location: Atlanta
Distribution: Gentoo
Posts: 1,280

Rep: Reputation: 47
the easiest way by far to upgrade RedHat is to use RHN's up2date, it solves all dependancy problems, tells you what you need to update, let's you choose what you want to update, downloads and installs the packages you choose to update. That's what I use, I guess im a little lazy when it comes to installing software on my own. RHN = redhat network by the way. Oh, it is also best with a highspeed internet connection too if you plan on upgrading big packages.
 
Old 05-18-2003, 05:41 AM   #7
dorian33
Member
 
Registered: Jan 2003
Location: Poland, Warsaw
Distribution: LFS, Gentoo
Posts: 591

Rep: Reputation: 32
Quote:
Originally posted by bentz
Did you upgrade iptables, [...] I also haven't tried compiling it myself yet. Any help would be greatly appreciated.
Currently I'm running my self-made Linux From Scratch (LFS). Everything is built up from sources. But compiling is not difficult. In most cases you need use only 3 steps "configure" , "make" and "make install". The sources contains the README file which allows you to change defaults like library or final utility location, enable or disable some functionality of the resulting utility etc.
 
Old 05-18-2003, 05:59 AM   #8
royality
LQ Newbie
 
Registered: May 2003
Posts: 5

Rep: Reputation: 0
i got the same problem i want to DNAT an ip from one box to ip on another box
iptables -t nat -A PREROUTING -p TCP -d 192.110.50.5 --dport 80 -j DNAT --to 192.116.34.6:80
what else i should add to make it work (which route lines i should insert and where )
Thanks...
 
Old 05-18-2003, 05:59 AM   #9
royality
LQ Newbie
 
Registered: May 2003
Posts: 5

Rep: Reputation: 0
i got the same problem i want to DNAT an ip from one box to ip on another box
iptables -t nat -A PREROUTING -p TCP -d 192.110.50.5 --dport 80 -j DNAT --to 192.116.34.6:80
what else i should add to make it work (which route lines i should insert and where )
Thanks...
 
Old 05-18-2003, 07:04 AM   #10
dorian33
Member
 
Registered: Jan 2003
Location: Poland, Warsaw
Distribution: LFS, Gentoo
Posts: 591

Rep: Reputation: 32
Quote:
Originally posted by royality
i got the same problem
It is not the same problem
Bentz were asking about load balancing rules.
You are asking about NATting. Your question is not clear since you are trying to forward packets from 192.... to 192.... network. Without information about netmask, eth equipment of the router, current gateway etc no way to help you. But since it is another story create new thread.
 
Old 05-18-2003, 07:22 AM   #11
royality
LQ Newbie
 
Registered: May 2003
Posts: 5

Rep: Reputation: 0
Yes so i guess its not the same problem .
ok i will explain .
I have 2 boxes
in 2 different isps one of the boxes ip is
212.68.149.95 this ip is blocked to most of the networks .
another ip is on a second box 192.114.144.120 which is open to the world .
i want to redirect the data from 212.68.149.95 using 192.114.144.120 which is open to the world .
(using the 192.114.144.120 on box 2 as the gateway for box1 so it can access the blocked addresses through it"
what i did is : " iptables -t nat -A PREROUTING -d 212.68.149.95 -j DNAT --to-destination 192.114.144.120 "
i even tried to forward just the tcp on port 80
iptables -t nat -A PREROUTING -p tcp -d 212.68.149.95 --dport 80 -j DNAT --to-destination 192.114.144.120:80 "
but its not working (( help me please , is it possible ?
where did i go wrong ? can someone help me to get it working
 
Old 05-18-2003, 12:24 PM   #12
bentz
Member
 
Registered: Mar 2003
Distribution: Fedora, Mac OSX
Posts: 362

Original Poster
Rep: Reputation: 30
Anyway, back to my question!

I am very familiar with RHN, up2date, and compiling software.

Up2date doesn't work because the last version of iptables available for RedHat 7.3 is 1.2.5. up2date doesn't let me upgrade beyond that.

RHN doesn't work in this case because I'm running 7.3, and my currently subscribed channels only pertain to RedHat 7.2. That's okay, I can manually view the RedHat 9 channels and download the rpm for iptables 1.2.7a. However, when I install, it has dependancies on a later version of glibc. This means that glibc, glibc-common, glibc-headers, binutils, rpm (the list goes on) need to be upgraded. I tried upgrading all these packages, but I majorly messed my libraries up: using simply 'ls' with the RedHat 9 version of glibc on redhat 7.3 produced many library errors... I was glad that I was able to reverse all these changes before my system became unbootable.

I could upgrade to a later version of any distro that has iptables 1.2.7a already builtin, but I've never been a believer that fixing a problem in Linux is most effiecintly solved by reinstalling (or even rebooting); there is always a better way.

Or, I could bite the bullet and compile myself. I know that netfilter has tons of hooks into the kernel, and I'd like to touch base with someone who has done this before prior to jumping in with both feet and comprimising my firewall...

Is I was cool and used LFS, I probably wouldn't have any questions; My only choice would be to compile myself.

Lastly, I've read the change log and noticed that iptables 1.2.6 has many man page updates, which could possibly have the info I was looking for in the first place (see second post). Just because my software is out of date, doesn't mean I'm an idiot. I havn't noticed anything in the change logs that indicate that round-robin has been suddenly introduced in the change logs from my version (1.2.5) to the version that dorian33 is running (1.2.7a).

So perhaps for load balancing 1.2.5 and 1.2.7a are equivalent in functionality, but not documentation.
 
Old 05-18-2003, 05:24 PM   #13
dorian33
Member
 
Registered: Jan 2003
Location: Poland, Warsaw
Distribution: LFS, Gentoo
Posts: 591

Rep: Reputation: 32
Hi bentz,
I've read your post and I would like to clarify one matter.
Maybe I'm wrong (I've never study netfilter) but AFAIK the version of iptables does not matter. It is only the front-end to the netfilter. You can safely get sources and compile any version against your libraries. So you remove the problem you reach trying binary (rpm) version.
If the kernel version you are using currently is not supporting a filter - you'll just get the error message. Thats all.
But compiling iptables you do not make any changes in the kernel.
 
Old 05-18-2003, 06:22 PM   #14
bentz
Member
 
Registered: Mar 2003
Distribution: Fedora, Mac OSX
Posts: 362

Original Poster
Rep: Reputation: 30
I guess that makes sense. I never considered what portion of it was kernel, and what portion was simply a front end. The system is running a relatively new kernel (2.4.18-27.7) so I imagine it's up to date as far as the netfilter portion is concerned. Thanks for making this crystal clear to me.

It sounds like I should just remove the iptables rpm and recompile the latest iptables myself. That way I can have the latest manual and RTFM for my origional question!
 
Old 05-19-2003, 08:44 AM   #15
bentz
Member
 
Registered: Mar 2003
Distribution: Fedora, Mac OSX
Posts: 362

Original Poster
Rep: Reputation: 30
Welps, I can't upgrade to iptables 1.2.8 (the latest) without glibc 2.3. RedHat only supports up to 2.2.5-43 under RH 7.3. So I guess I'm fuct, I guess I'd have to upgrade my entire OS so I can get those man page updates. It's not worth it.

Thanks for all your insight, dorian33.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables DNAT problem eantoranz Linux - Networking 2 09-12-2006 02:00 PM
why does iptables DNAT fail? eantoranz Linux - Security 12 08-25-2006 02:11 PM
iptables DNAT pshepperd Linux - Security 1 05-22-2004 04:56 PM
Iptables DNAT weirdness matta Linux - Networking 3 04-07-2004 04:11 AM
DNAT question (Iptables) wilsonmau Linux - Networking 1 06-06-2003 07:50 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 05:55 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration