[Gllug] Load balancing source IPs

ccooke ccooke-gllug at gkhs.net
Wed May 21 08:56:49 UTC 2008 

On Wed, May 21, 2008 at 12:10:41AM +0100, Robert McKay wrote:
> On Tue, May 20, 2008 at 3:44 PM, - Tethys <tethys at gmail.com> wrote:
> [snip]
> > to use as a source IP for each new connection. I currently do this
> > with a simple iptables SNAT rule:
> >
> > iptables -t nat -I POSTROUTING -d 10.0.8.1 -j SNAT --to 10.0.0.16-10.0.0.31
> [snip]
> > In summary, it works fine with:
> >
> > CentOS 4.4, kernel 2.6.9-42.0.10.ELsmp, iptables-1.2.11-3.1.RHEL4
> >
> > On the other hand, it doesn't work with:
> >
> > Fedora Core 5, kernel 2.6.18-1.2200.fc5, iptables-1.3.5-1.2
> > Ubuntu 7.10, kernel 2.6.22-14-server, iptables 1.3.6.0debian1-5ubuntu5
> 
> > Any ideas?
> 
> >From the iptables 1.4 manpage:
> 
> In Kernels up to 2.6.10 you can add several --to-destination options.  For
> those kernels, if you specify more than one destination address, either via an
> address range or multiple --to-destination options, a simple round-robin (one
> after another in cycle) load balancing takes place between these addresses.
> Later Kernels (>= 2.6.11-rc1) don't have the ability to NAT to multiple ranges
> anymore.
> 
> While the passage is somewhat ambiguous; not being able to NAT to
> multiple ranges doesn't seem to entirely rule out NATing to multiple
> addresses in one range but I think this may just be an error in the
> documentation. Btw, although the documentation is talking about DNAT,
> not SNAT, similar changes appear to have been made to both.
> 

The manual on this system has the same text for SNAT, too.

There *does* appear to be an alternative, though:

   SAME
       Similar to SNAT/DNAT  depending  on  chain:  it  takes  a  range  of
       addresses  (‘--to  1.2.3.4-1.2.3.7’)  and  gives  a  client the same
       source-/destination-address for each connection.

       --to <ipaddr>-<ipaddr>
              Addresses to map source to. May be specified more  than  once
              for multiple ranges.

       --nodst
              Don’t use the destination-ip in the calculations when select‐
              ing the new source-ip

       --random
              Port mapping will be forcibly  randomized  to  avoid  attacks
              based on port prediction (kernel >= 2.6.21).

It seems to be enabled by default on at least Ubuntu Hardy.

-- 
d=(1 0 6 0 1 0 5 5 41 5 3 12 4 5 15 1 4 -2 5 5 0 5 4 24 3 5 27 1 3 -2 1 3 6)
a=0;while :;do ((v=(c=a)+3));((x=d[d[a]]-d[d[a+1]]));d[d[a]]=$x;((a=d[d[a]]\
<0?${d[a+2]}:v));case $a in -1)read d[d[c]];a=$v;;-2)echo ${d[d[c+1]]};a=$v\
;;0)exit;;esac;done 2>&- # Charles Cooke, Sysadmin.  
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

More information about the GLLUG mailing list