I would like to dnat certain protocols (HTTP, HTTPS, SSH) to the contents of an ipset (lan:+serviceshost or similar) where the ipset is ensured to contain only one host, but can be changed dynamically when services are in maintenance mode and go to the "services are down" message on another server. Will this work, or am I barking up a fish here? ------------------------------------------------------------------------------ BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA http://p.sf.net/sfu/rim-devcon-copy2
On Sep 17, 2011, at 2:02 PM, Christ Schlacta wrote:> I would like to dnat certain protocols (HTTP, HTTPS, SSH) to the > contents of an ipset (lan:+serviceshost or similar) where the ipset is > ensured to contain only one host, but can be changed dynamically when > services are in maintenance mode and go to the "services are down" > message on another server. Will this work, or am I barking up a fish here? >You cannot specify an IPSET in the DEST column or in the ORIGINALDEST column of a DNAT rule. That is an iptables limitation. -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA http://p.sf.net/sfu/rim-devcon-copy2
Can you recommend an alternate method to accomplish my desired outcome? I want to switch dynamically which host a (set of) dnat rules point to without having to restart shorewall. On 9/17/2011 14:38, Tom Eastep wrote:> On Sep 17, 2011, at 2:02 PM, Christ Schlacta wrote: > >> I would like to dnat certain protocols (HTTP, HTTPS, SSH) to the >> contents of an ipset (lan:+serviceshost or similar) where the ipset is >> ensured to contain only one host, but can be changed dynamically when >> services are in maintenance mode and go to the "services are down" >> message on another server. Will this work, or am I barking up a fish here? >> > You cannot specify an IPSET in the DEST column or in the ORIGINALDEST column of a DNAT rule. That is an iptables limitation. > > -Tom > > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > > > ------------------------------------------------------------------------------ > BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA > http://p.sf.net/sfu/rim-devcon-copy2 > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA http://p.sf.net/sfu/rim-devcon-copy2
On Sep 17, 2011, at 3:20 PM, Christ Schlacta wrote:> Can you recommend an alternate method to accomplish my desired outcome? > I want to switch dynamically which host a (set of) dnat rules point to > without having to restart shorewall. >Use iptables directly to insert and delete DNAT rules. -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA http://p.sf.net/sfu/rim-devcon-copy2
On Sat, 2011-09-17 at 15:39 -0700, Tom Eastep wrote:> On Sep 17, 2011, at 3:20 PM, Christ Schlacta wrote: > > > Can you recommend an alternate method to accomplish my desired outcome? > > I want to switch dynamically which host a (set of) dnat rules point to > > without having to restart shorewall. > > > > Use iptables directly to insert and delete DNAT rules.This feature (coming in 4.4.24) will be useful to you. http://www1.shorewall.net/configuration_file_basics.htm#Switches -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2dcopy2