iptables loadbalancing DNAT
by jarekjarecki from LinuxQuestions.org on (#5G587)
Hello guys,
Nice to join this forum. I'm not new to Linux but I didn't do anything complicated with iptables until now.
What I want to accomplish is to use one server as a load balancer and forward packets to a "real server" without changing the source IP so the real server will be able to see the client's IP address.
At the moment I'm able to see packets on a real server and I'm even able to send responses back through the load balancer.
The issue is that I set route based on source IP (client's IP) and I want to somehow mark packets that are coming from load balancer then reroute reply packets through the load balancer.
Here is the configuration:
Server 1 (let's name it LB): eth1: 10.0.0.74
Server 2(let's name it RS): eth1: 10.0.0.75
At them moment on LB:
/usr/sbin/iptables -t nat -A PREROUTING --wait -p tcp --dport 80 -s 55.75.61.241 -d 179.19.72.229 -j DNAT --to-destination 10.0.0.75:80
/usr/sbin/iptables -A FORWARD -d 10.0.0.75 -j ACCEPT
55.75.61.241 - external client IP
179.19.72.229 - server public (eth0) IP
with this configuration, I can see, using tcpdump on eth1 that packets arrive on RS.
Then for testing, I added on RS:
route add 55.75.61.241 gw 10.0.0.74
And with this configuration I can get a reply from the HTTP server on port 80 using LB IP 179.19.72.229:
curl -v http://179.19.72.229:80/
My idea is that on eth1 of RS the only packets with source IP other than in the range of private (10.0.0.x) are those packets that are redirected from LB so I could mark them and somehow reroute reply packets to LB eth1.
I tried:
ip route add table 100 default via 10.0.0.74 dev eth1
ip rule add fwmark 0x2 table 100
iptables -t mangle -A INPUT -i eth1 -s 55.75.61.241 -j MARK --set-mark 2
iptables -t mangle -A INPUT -j CONNMARK --save-mark
iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark
But it doesn't work.
Do you have an idea why?
Nice to join this forum. I'm not new to Linux but I didn't do anything complicated with iptables until now.
What I want to accomplish is to use one server as a load balancer and forward packets to a "real server" without changing the source IP so the real server will be able to see the client's IP address.
At the moment I'm able to see packets on a real server and I'm even able to send responses back through the load balancer.
The issue is that I set route based on source IP (client's IP) and I want to somehow mark packets that are coming from load balancer then reroute reply packets through the load balancer.
Here is the configuration:
Server 1 (let's name it LB): eth1: 10.0.0.74
Server 2(let's name it RS): eth1: 10.0.0.75
At them moment on LB:
/usr/sbin/iptables -t nat -A PREROUTING --wait -p tcp --dport 80 -s 55.75.61.241 -d 179.19.72.229 -j DNAT --to-destination 10.0.0.75:80
/usr/sbin/iptables -A FORWARD -d 10.0.0.75 -j ACCEPT
55.75.61.241 - external client IP
179.19.72.229 - server public (eth0) IP
with this configuration, I can see, using tcpdump on eth1 that packets arrive on RS.
Then for testing, I added on RS:
route add 55.75.61.241 gw 10.0.0.74
And with this configuration I can get a reply from the HTTP server on port 80 using LB IP 179.19.72.229:
curl -v http://179.19.72.229:80/
My idea is that on eth1 of RS the only packets with source IP other than in the range of private (10.0.0.x) are those packets that are redirected from LB so I could mark them and somehow reroute reply packets to LB eth1.
I tried:
ip route add table 100 default via 10.0.0.74 dev eth1
ip rule add fwmark 0x2 table 100
iptables -t mangle -A INPUT -i eth1 -s 55.75.61.241 -j MARK --set-mark 2
iptables -t mangle -A INPUT -j CONNMARK --save-mark
iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark
But it doesn't work.
Do you have an idea why?