* Round Robin or Random Source NATing
@ 2011-02-18 6:38 Kirk Hoganson
0 siblings, 0 replies; 5+ messages in thread
From: Kirk Hoganson @ 2011-02-18 6:38 UTC (permalink / raw)
To: netfilter
I am attempting to create a series of rules that source nat web traffic
amongst a pool of IP addresses. I have used the nth mode to cycle
through the IP address in a round robin fashion. I am using the
following rules:
$IPTABLES -t nat -A POSTROUTING -o $EXT -m state --state NEW -p tcp -m
multiport --dport 80,443 -m statistic --mode nth --every 24 --packet 0
-j SNAT --to-source 1.104.126.216
$IPTABLES -t nat -A POSTROUTING -o $EXT -m state --state NEW -p tcp -m
multiport --dport 80,443 -m statistic --mode nth --every 24 --packet 1
-j SNAT --to-source 1.104.126.217
$IPTABLES -t nat -A POSTROUTING -o $EXT -m state --state NEW -p tcp -m
multiport --dport 80,443 -m statistic --mode nth --every 24 --packet 2
-j SNAT --to-source 1.104.126.218
$IPTABLES -t nat -A POSTROUTING -o $EXT -m state --state NEW -p tcp -m
multiport --dport 80,443 -m statistic --mode nth --every 24 --packet 3
-j SNAT --to-source 1.104.126.219
$IPTABLES -t nat -A POSTROUTING -o $EXT -m state --state NEW -p tcp -m
multiport --dport 80,443 -m statistic --mode nth --every 24 --packet 4
-j SNAT --to-source 1.104.126.220
$IPTABLES -t nat -A POSTROUTING -o $EXT -m state --state NEW -p tcp -m
multiport --dport 80,443 -m statistic --mode nth --every 24 --packet 5
-j SNAT --to-source 1.104.126.221
$IPTABLES -t nat -A POSTROUTING -o $EXT -m state --state NEW -p tcp -m
multiport --dport 80,443 -m statistic --mode nth --every 24 --packet 6
-j SNAT --to-source 1.104.126.222
$IPTABLES -t nat -A POSTROUTING -o $EXT -m state --state NEW -p tcp -m
multiport --dport 80,443 -m statistic --mode nth --every 24 --packet 7
-j SNAT --to-source 1.104.126.223
$IPTABLES -t nat -A POSTROUTING -o $EXT -m state --state NEW -p tcp -m
multiport --dport 80,443 -m statistic --mode nth --every 24 --packet 8
-j SNAT --to-source 1.104.126.224
$IPTABLES -t nat -A POSTROUTING -o $EXT -m state --state NEW -p tcp -m
multiport --dport 80,443 -m statistic --mode nth --every 24 --packet 9
-j SNAT --to-source 1.104.126.225
$IPTABLES -t nat -A POSTROUTING -o $EXT -m state --state NEW -p tcp -m
multiport --dport 80,443 -m statistic --mode nth --every 24 --packet 10
-j SNAT --to-source 1.104.126.226
$IPTABLES -t nat -A POSTROUTING -o $EXT -m state --state NEW -p tcp -m
multiport --dport 80,443 -m statistic --mode nth --every 24 --packet 11
-j SNAT --to-source 1.104.126.227
$IPTABLES -t nat -A POSTROUTING -o $EXT -m state --state NEW -p tcp -m
multiport --dport 80,443 -m statistic --mode nth --every 24 --packet 12
-j SNAT --to-source 1.104.126.228
$IPTABLES -t nat -A POSTROUTING -o $EXT -m state --state NEW -p tcp -m
multiport --dport 80,443 -m statistic --mode nth --every 24 --packet 13
-j SNAT --to-source 1.104.126.229
$IPTABLES -t nat -A POSTROUTING -o $EXT -m state --state NEW -p tcp -m
multiport --dport 80,443 -m statistic --mode nth --every 24 --packet 14
-j SNAT --to-source 1.104.126.230
$IPTABLES -t nat -A POSTROUTING -o $EXT -m state --state NEW -p tcp -m
multiport --dport 80,443 -m statistic --mode nth --every 24 --packet 15
-j SNAT --to-source 1.104.126.231
$IPTABLES -t nat -A POSTROUTING -o $EXT -m state --state NEW -p tcp -m
multiport --dport 80,443 -m statistic --mode nth --every 24 --packet 16
-j SNAT --to-source 1.104.126.232
$IPTABLES -t nat -A POSTROUTING -o $EXT -m state --state NEW -p tcp -m
multiport --dport 80,443 -m statistic --mode nth --every 24 --packet 17
-j SNAT --to-source 1.104.126.233
$IPTABLES -t nat -A POSTROUTING -o $EXT -m state --state NEW -p tcp -m
multiport --dport 80,443 -m statistic --mode nth --every 24 --packet 18
-j SNAT --to-source 1.104.126.234
$IPTABLES -t nat -A POSTROUTING -o $EXT -m state --state NEW -p tcp -m
multiport --dport 80,443 -m statistic --mode nth --every 24 --packet 19
-j SNAT --to-source 1.104.126.235
$IPTABLES -t nat -A POSTROUTING -o $EXT -m state --state NEW -p tcp -m
multiport --dport 80,443 -m statistic --mode nth --every 24 --packet 20
-j SNAT --to-source 1.104.126.236
$IPTABLES -t nat -A POSTROUTING -o $EXT -m state --state NEW -p tcp -m
multiport --dport 80,443 -m statistic --mode nth --every 24 --packet 21
-j SNAT --to-source 1.104.126.237
$IPTABLES -t nat -A POSTROUTING -o $EXT -m state --state NEW -p tcp -m
multiport --dport 80,443 -m statistic --mode nth --every 24 --packet 22
-j SNAT --to-source 1.104.126.238
$IPTABLES -t nat -A POSTROUTING -o $EXT -m state --state NEW -p tcp -m
multiport --dport 80,443 -m statistic --mode nth --every 24 --packet 23
-j SNAT --to-source 1.104.126.239
At first glance the rules appear to work. However when I look at the
traffic on the receiving host, I see a number of connections from the
primary eth0 address of the source system. I see approximately 10x as
many connections from the primary IP address (which isn't in the round
robin rotation) as I do from any of the addresses in the round robin
pool. The addresses in the pool all have approximately the same number
of connections to the remote host.
How can I create a round robin, or random source nat pool for web
connections, without using the primary IP address of the source system
to connect to the remote host?
Thanks.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Round Robin or Random Source NATing
2011-02-23 18:43 ` Kirk Hoganson
@ 2011-02-24 23:03 ` Jan Engelhardt
0 siblings, 0 replies; 5+ messages in thread
From: Jan Engelhardt @ 2011-02-24 23:03 UTC (permalink / raw)
To: Kirk Hoganson; +Cc: John Lister, netfilter
On Wednesday 2011-02-23 19:43, Kirk Hoganson wrote:
> Excellent advice. I was thinking the module used a global counter.
That would only work if counters had a names by which they could
be referenced.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Round Robin or Random Source NATing
2011-02-22 23:50 ` John Lister
@ 2011-02-23 18:43 ` Kirk Hoganson
2011-02-24 23:03 ` Jan Engelhardt
0 siblings, 1 reply; 5+ messages in thread
From: Kirk Hoganson @ 2011-02-23 18:43 UTC (permalink / raw)
To: John Lister; +Cc: netfilter
Excellent advice. I was thinking the module used a global counter. I
made the changes you suggested, and I'm seeing more consistent results.
Thanks again, I doubt I would have figured that out on my own.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Round Robin or Random Source NATing
2011-02-22 21:28 Kirk Hoganson
@ 2011-02-22 23:50 ` John Lister
2011-02-23 18:43 ` Kirk Hoganson
0 siblings, 1 reply; 5+ messages in thread
From: John Lister @ 2011-02-22 23:50 UTC (permalink / raw)
To: Kirk Hoganson; +Cc: netfilter
On 22/02/2011 21:28, Kirk Hoganson wrote:
> I am attempting to create a series of rules that source nat web
> traffic amongst a pool of IP addresses. I have used the nth mode to
> cycle through the IP address in a round robin fashion. I am using the
> following rules:
>
> $IPTABLES -t nat -A POSTROUTING -o $EXT -m state --state NEW -p tcp -m
> multiport --dport 80,443 -m statistic --mode nth --every 24 --packet 0
> -j SNAT --to-source 1.104.126.216
Beware that the statistic module counts apply PER rule and not to some
global counter as they used to in earlier versions - this caught me out
before. So with your case, the first rule is matched every 24 packets,
but the second one is matched every 24 packets NOT matched by the
earlier rule, and so on. So any default in your case is much more likely
to happen than you expect.
try doing something like:
$IPTABLES -t nat -A POSTROUTING -o $EXT -m state --state NEW -p tcp -m
multiport --dport 80,443 -m statistic --mode nth --every 24 --packet 0
-j SNAT --to-source 1.104.126.x
$IPTABLES -t nat -A POSTROUTING -o $EXT -m state --state NEW -p tcp -m
multiport --dport 80,443 -m statistic --mode nth --every 23 --packet 0
-j SNAT --to-source 1.104.126.x
$IPTABLES -t nat -A POSTROUTING -o $EXT -m state --state NEW -p tcp -m
multiport --dport 80,443 -m statistic --mode nth --every 22 --packet 0
-j SNAT --to-source 1.104.126.x
The same applies with random, you need to reduce the probability based
on the chance of it being hit, eg:
.25, .33, .50, 1
^ permalink raw reply [flat|nested] 5+ messages in thread
* Round Robin or Random Source NATing
@ 2011-02-22 21:28 Kirk Hoganson
2011-02-22 23:50 ` John Lister
0 siblings, 1 reply; 5+ messages in thread
From: Kirk Hoganson @ 2011-02-22 21:28 UTC (permalink / raw)
To: netfilter
I am attempting to create a series of rules that source nat web traffic
amongst a pool of IP addresses. I have used the nth mode to cycle
through the IP address in a round robin fashion. I am using the
following rules:
$IPTABLES -t nat -A POSTROUTING -o $EXT -m state --state NEW -p tcp -m
multiport --dport 80,443 -m statistic --mode nth --every 24 --packet 0
-j SNAT --to-source 1.104.126.216
$IPTABLES -t nat -A POSTROUTING -o $EXT -m state --state NEW -p tcp -m
multiport --dport 80,443 -m statistic --mode nth --every 24 --packet 1
-j SNAT --to-source 1.104.126.217
$IPTABLES -t nat -A POSTROUTING -o $EXT -m state --state NEW -p tcp -m
multiport --dport 80,443 -m statistic --mode nth --every 24 --packet 2
-j SNAT --to-source 1.104.126.218
$IPTABLES -t nat -A POSTROUTING -o $EXT -m state --state NEW -p tcp -m
multiport --dport 80,443 -m statistic --mode nth --every 24 --packet 3
-j SNAT --to-source 1.104.126.219
$IPTABLES -t nat -A POSTROUTING -o $EXT -m state --state NEW -p tcp -m
multiport --dport 80,443 -m statistic --mode nth --every 24 --packet 4
-j SNAT --to-source 1.104.126.220
$IPTABLES -t nat -A POSTROUTING -o $EXT -m state --state NEW -p tcp -m
multiport --dport 80,443 -m statistic --mode nth --every 24 --packet 5
-j SNAT --to-source 1.104.126.221
$IPTABLES -t nat -A POSTROUTING -o $EXT -m state --state NEW -p tcp -m
multiport --dport 80,443 -m statistic --mode nth --every 24 --packet 6
-j SNAT --to-source 1.104.126.222
$IPTABLES -t nat -A POSTROUTING -o $EXT -m state --state NEW -p tcp -m
multiport --dport 80,443 -m statistic --mode nth --every 24 --packet 7
-j SNAT --to-source 1.104.126.223
$IPTABLES -t nat -A POSTROUTING -o $EXT -m state --state NEW -p tcp -m
multiport --dport 80,443 -m statistic --mode nth --every 24 --packet 8
-j SNAT --to-source 1.104.126.224
$IPTABLES -t nat -A POSTROUTING -o $EXT -m state --state NEW -p tcp -m
multiport --dport 80,443 -m statistic --mode nth --every 24 --packet 9
-j SNAT --to-source 1.104.126.225
$IPTABLES -t nat -A POSTROUTING -o $EXT -m state --state NEW -p tcp -m
multiport --dport 80,443 -m statistic --mode nth --every 24 --packet 10
-j SNAT --to-source 1.104.126.226
$IPTABLES -t nat -A POSTROUTING -o $EXT -m state --state NEW -p tcp -m
multiport --dport 80,443 -m statistic --mode nth --every 24 --packet 11
-j SNAT --to-source 1.104.126.227
$IPTABLES -t nat -A POSTROUTING -o $EXT -m state --state NEW -p tcp -m
multiport --dport 80,443 -m statistic --mode nth --every 24 --packet 12
-j SNAT --to-source 1.104.126.228
$IPTABLES -t nat -A POSTROUTING -o $EXT -m state --state NEW -p tcp -m
multiport --dport 80,443 -m statistic --mode nth --every 24 --packet 13
-j SNAT --to-source 1.104.126.229
$IPTABLES -t nat -A POSTROUTING -o $EXT -m state --state NEW -p tcp -m
multiport --dport 80,443 -m statistic --mode nth --every 24 --packet 14
-j SNAT --to-source 1.104.126.230
$IPTABLES -t nat -A POSTROUTING -o $EXT -m state --state NEW -p tcp -m
multiport --dport 80,443 -m statistic --mode nth --every 24 --packet 15
-j SNAT --to-source 1.104.126.231
$IPTABLES -t nat -A POSTROUTING -o $EXT -m state --state NEW -p tcp -m
multiport --dport 80,443 -m statistic --mode nth --every 24 --packet 16
-j SNAT --to-source 1.104.126.232
$IPTABLES -t nat -A POSTROUTING -o $EXT -m state --state NEW -p tcp -m
multiport --dport 80,443 -m statistic --mode nth --every 24 --packet 17
-j SNAT --to-source 1.104.126.233
$IPTABLES -t nat -A POSTROUTING -o $EXT -m state --state NEW -p tcp -m
multiport --dport 80,443 -m statistic --mode nth --every 24 --packet 18
-j SNAT --to-source 1.104.126.234
$IPTABLES -t nat -A POSTROUTING -o $EXT -m state --state NEW -p tcp -m
multiport --dport 80,443 -m statistic --mode nth --every 24 --packet 19
-j SNAT --to-source 1.104.126.235
$IPTABLES -t nat -A POSTROUTING -o $EXT -m state --state NEW -p tcp -m
multiport --dport 80,443 -m statistic --mode nth --every 24 --packet 20
-j SNAT --to-source 1.104.126.236
$IPTABLES -t nat -A POSTROUTING -o $EXT -m state --state NEW -p tcp -m
multiport --dport 80,443 -m statistic --mode nth --every 24 --packet 21
-j SNAT --to-source 1.104.126.237
$IPTABLES -t nat -A POSTROUTING -o $EXT -m state --state NEW -p tcp -m
multiport --dport 80,443 -m statistic --mode nth --every 24 --packet 22
-j SNAT --to-source 1.104.126.238
$IPTABLES -t nat -A POSTROUTING -o $EXT -m state --state NEW -p tcp -m
multiport --dport 80,443 -m statistic --mode nth --every 24 --packet 23
-j SNAT --to-source 1.104.126.239
At first glance the rules appear to work. However when I look at the
traffic on the receiving host, I see a number of connections from the
primary eth0 address of the source system. I see approximately 10x as
many connections from the primary IP address (which isn't in the round
robin rotation) as I do from any of the addresses in the round robin
pool. The addresses in the pool all have approximately the same number
of connections to the remote host.
How can I create a round robin, or random source nat pool for web
connections, without using the primary IP address of the source system
to connect to the remote host?
Thanks.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2011-02-24 23:03 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2011-02-18 6:38 Round Robin or Random Source NATing Kirk Hoganson
2011-02-22 21:28 Kirk Hoganson
2011-02-22 23:50 ` John Lister
2011-02-23 18:43 ` Kirk Hoganson
2011-02-24 23:03 ` Jan Engelhardt
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.