Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
In Kernels up to 2.6.10, you can add several --to-source options. For those kernels, if you specify more than one source address, either via an address range or multiple --to-source options, a simple round-robin (one after another in cycle) takes place between these adresses. Later Kernels (>= 2.6.11-rc1) don't have the ability to NAT to multiple ranges anymore.
Does that mean that in kernels >= 2.6.11-rc1 you cannot round robin source addresses any longer, or that it is more specific in how you specify the range?
As an example, does this mean neither:
Code:
iptables -t nat -p all -A POSTROUTING -s 0.0.0.0/0 -j SNAT --to-source 10.13.199.1-10.13.199.3
or
Code:
iptables -t nat -p all -A POSTROUTING -s 0.0.0.0/0 -j SNAT --to-source 10.13.199.1
iptables -t nat -p all -A POSTROUTING -s 0.0.0.0/0 -j SNAT --to-source 10.13.199.2
iptables -t nat -p all -A POSTROUTING -s 0.0.0.0/0 -j SNAT --to-source 10.13.199.3
work any longer, or does it simply mean that:
Code:
iptables -t nat -p all -A POSTROUTING -s 0.0.0.0/0 -j SNAT --to-source 10.13.199.1
iptables -t nat -p all -A POSTROUTING -s 0.0.0.0/0 -j SNAT --to-source 10.13.199.2
iptables -t nat -p all -A POSTROUTING -s 0.0.0.0/0 -j SNAT --to-source 10.13.199.3
I won't comment on the lack of round-robin nats, but rules with a range can certainly be loaded, a major change is that only 1 --to-source can be specified..
(using kernel 2.6.17 and iptables 1.3.5)
I was intrigued by this thread and subscribed hoping to learn something. I understand that in the past you could supply a range of --to-source addresses or supply multiple --to-source options on a single command. But could you ever give multiple commands that were identical with the exception of the --to-source addresses and have it function in the same way as multiple --to-source options on one line the way DukeLeto is suggesting in his second and third code boxes? I thought that that would just result in multiple rules with all but the first one being irrelevant (because the jump to SNAT had already occurred) just as it would with any other rules containing a jump option that had identical conditions.
Could you please enlighten me?
Thanks.
Last edited by blackhole54; 09-09-2006 at 02:17 PM.
Packets would match all the identical rules so only be affected by the first one as you say. SNAT is a terminating rule, so once it matches, the rule works, and it's out of the nat table and onto the wire..
To get the round-robin effect, it needs some packet marking that gets picked up in different SNAT rules..
Last edited by peter_robb; 09-12-2006 at 04:27 AM.
Can you elaborate on what I'll need to do to get the round robin effect? What sort of packet marking do I have to do? Can this be a rule on the SAME machine I want the round robin effect for, or do I need to set up this rule on a machine specifically used as a gateway, and have the other machine(s) connect through it to get the rr effect?
I've only ever seen this used a couple of times..
To keep ISP traffic balanced across several ip numbers, & for testing..
May I ask what it's going to achieve?
There are several ways to do it..
with iproute2, iptables, squid acls etc.
Each has plus & minus points, so picking the most appropriate technique is based on the type of traffic..
This is going to be http traffic.
There are a few different reasons I need to do this.
The first (but least important), is I need to show 40% utilization of my available ip addresses or lose them. However, the second reason is much more important.
I'm not on the development team, so I don't really know what it is, but it's something to do with the fact that ruby doesn't support bind() like c does, so they're having to do this at a kernel level to rotate the ip. I think it has to do with testing, as they'll be transferring http traffic a lot, and want the web server to see a different ip for each and every request.
Something about a more real world performance metric? I just know it's my job to make it happen.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.