Jason Wever
2012-Oct-24 13:55 UTC
Question On One To Many Source NAT Where Many Is Public IPs
Hi All, Apologies if this has already been answered but my Google-fu was not turning anything up. I''m in the process of converting an existing iptables rule set from a shell script into Shorewall, and I haven''t been able to really find a good solution to handling a source NAT condition where outgoing traffic from one internal IP is balanced over more than one external IPs. To help illustrate (using example IPs), outgoing traffic from 10.0.0.1 would be balanced over external IPs 1.1.1.1, 1.1.1.2 and 1.1.1.3. If it helps, the existing iptables rules that perform this function are: iptables -t mangle -A FORWARD -s 10.0.0.1 -j CONNMARK \ --restore-mark iptables -t mangle -A FORWARD -p tcp -s 10.0.0.1 -m state \ --state NEW -m statistic --mode nth --every 3 --packet 0 -j MARK \ --set-mark 1 iptables -t mangle -A FORWARD -p tcp -s 10.0.0.1 -m state \ --state NEW -m statistic --mode nth --every 3 --packet 1 -j MARK \ --set-mark 2 iptables -t mangle -A FORWARD -p tcp -s 10.0.0.1 -m state \ --state NEW -m statistic --mode nth --every 3 --packet 2 -j MARK \ --set-mark 3 iptables -t mangle -I POSTROUTING -s 10.0.0.1 -j CONNMARK \ --save-mark iptables -t nat -I POSTROUTING -m connmark --mark 1 -p tcp -s 10.0.0.1 \ -o eth5 -j SNAT --to-source 1.1.1.1 iptables -t nat -I POSTROUTING -m connmark --mark 2 -p tcp -s 10.0.0.1 \ -o eth5 -j SNAT --to-source 1.1.1.2 iptables -t nat -I POSTROUTING -m connmark --mark 3 -p tcp -s 10.0.0.1 \ -o eth5 -j SNAT --to-source 1.1.1.3 Is this possible with Shorewall? Unfortunately, trying to do something like the below didn''t work for us as iptables wasn''t using each IP equally: iptables -t nat -I POSTROUTING -s 10.0.0.1 -o eth5 -j SNAT \ --to-source 1.1.1.1-1.1.1.3 Thanks, -- Jason Wever ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct
Tom Eastep
2012-Oct-24 14:12 UTC
Re: Question On One To Many Source NAT Where Many Is Public IPs
On 10/24/2012 06:55 AM, Jason Wever wrote:> Hi All, > > Apologies if this has already been answered but my Google-fu was not > turning anything up. > > I''m in the process of converting an existing iptables rule set from a > shell script into Shorewall, and I haven''t been able to really find a > good solution to handling a source NAT condition where outgoing > traffic from one internal IP is balanced over more than one external > IPs. To help illustrate (using example IPs), outgoing traffic from > 10.0.0.1 would be balanced over external IPs 1.1.1.1, 1.1.1.2 and > 1.1.1.3. > > If it helps, the existing iptables rules that perform this function are: > > iptables -t mangle -A FORWARD -s 10.0.0.1 -j CONNMARK \ > --restore-mark > iptables -t mangle -A FORWARD -p tcp -s 10.0.0.1 -m state \ > --state NEW -m statistic --mode nth --every 3 --packet 0 -j MARK \ > --set-mark 1 > iptables -t mangle -A FORWARD -p tcp -s 10.0.0.1 -m state \ > --state NEW -m statistic --mode nth --every 3 --packet 1 -j MARK \ > --set-mark 2 > iptables -t mangle -A FORWARD -p tcp -s 10.0.0.1 -m state \ > --state NEW -m statistic --mode nth --every 3 --packet 2 -j MARK \ > --set-mark 3 > iptables -t mangle -I POSTROUTING -s 10.0.0.1 -j CONNMARK \ > --save-mark > iptables -t nat -I POSTROUTING -m connmark --mark 1 -p tcp -s 10.0.0.1 \ > -o eth5 -j SNAT --to-source 1.1.1.1 > iptables -t nat -I POSTROUTING -m connmark --mark 2 -p tcp -s 10.0.0.1 \ > -o eth5 -j SNAT --to-source 1.1.1.2 > iptables -t nat -I POSTROUTING -m connmark --mark 3 -p tcp -s 10.0.0.1 \ > -o eth5 -j SNAT --to-source 1.1.1.3 > > Is this possible with Shorewall? > > Unfortunately, trying to do something like the below didn''t work for > us as iptables wasn''t using each IP equally: > iptables -t nat -I POSTROUTING -s 10.0.0.1 -o eth5 -j SNAT \ > --to-source 1.1.1.1-1.1.1.3Why don''t you just do this in /etc/shorewall/masq? eth5 10.0.0.1 1.1.1.1-1.1.1.3 -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct
Tom Eastep
2012-Oct-24 14:17 UTC
Re: Question On One To Many Source NAT Where Many Is Public IPs
On 10/24/2012 06:55 AM, Jason Wever wrote:> > Is this possible with Shorewall? > > Unfortunately, trying to do something like the below didn''t work for > us as iptables wasn''t using each IP equally: > iptables -t nat -I POSTROUTING -s 10.0.0.1 -o eth5 -j SNAT \ > --to-source 1.1.1.1-1.1.1.3Sorry -- I missed this last part when I responded earlier. There is currently no way to use the statistic match for load-balancing over several SNAT sources; it can only be used in Shorewall to load-balance between uplinks. So you will have to add those rules manually in your /etc/shorewall/start file. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct
Jason Wever
2012-Oct-24 14:22 UTC
Re: Question On One To Many Source NAT Where Many Is Public IPs
On Wed, Oct 24, 2012 at 10:17 AM, Tom Eastep <teastep@shorewall.net> wrote:> Sorry -- I missed this last part when I responded earlier. There is > currently no way to use the statistic match for load-balancing over > several SNAT sources; it can only be used in Shorewall to load-balance > between uplinks. > > So you will have to add those rules manually in your > /etc/shorewall/start file.OK I''ll take a look there and see what I can come up with. Thanks for the prompt response! Cheers, -- Jason Wever ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct
Tom Eastep
2012-Oct-24 14:30 UTC
Re: Question On One To Many Source NAT Where Many Is Public IPs
On 10/24/2012 07:22 AM, Jason Wever wrote:> On Wed, Oct 24, 2012 at 10:17 AM, Tom Eastep <teastep@shorewall.net> wrote: >> Sorry -- I missed this last part when I responded earlier. There is >> currently no way to use the statistic match for load-balancing over >> several SNAT sources; it can only be used in Shorewall to load-balance >> between uplinks. >> >> So you will have to add those rules manually in your >> /etc/shorewall/start file. > > OK I''ll take a look there and see what I can come up with. Thanks for > the prompt response! >Note that the masq file has a MARK column, so it is only the mangle table rules that you need to add manually. I''ll look at adding a statistic match capability to /etc/shorewall/tcrules in the next Shorewall release. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct
Tom Eastep
2012-Oct-24 21:56 UTC
Re: Question On One To Many Source NAT Where Many Is Public IPs
On 10/24/2012 07:30 AM, Tom Eastep wrote:> On 10/24/2012 07:22 AM, Jason Wever wrote: >> On Wed, Oct 24, 2012 at 10:17 AM, Tom Eastep <teastep@shorewall.net> wrote: >>> Sorry -- I missed this last part when I responded earlier. There is >>> currently no way to use the statistic match for load-balancing over >>> several SNAT sources; it can only be used in Shorewall to load-balance >>> between uplinks. >>> >>> So you will have to add those rules manually in your >>> /etc/shorewall/start file. >> >> OK I''ll take a look there and see what I can come up with. Thanks for >> the prompt response! >> > > Note that the masq file has a MARK column, so it is only the mangle > table rules that you need to add manually. > > I''ll look at adding a statistic match capability to > /etc/shorewall/tcrules in the next Shorewall release. >Here is a lightly-tested patch. For Jason''s case, his entry in tcrules will be: 1-3:F 10.0.0.1 eth5 ; state=NEW -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct