Purchase Linux CDs / DVDs / Flash Drives at OSDisc.com

Welcome to Our Community

While Linux.org has been around for a while, we recently changed management and had to purge most of the content (including users). If you signed up before April 23rd, 2017 please sign up again. Thanks!

  1. More ways to get the info! - we shoot all of our new original content out as well as random messages on Twitter and our newsletter!. Twitter | Newsletter
    Dismiss Notice

How to configure Full Cone NAT with Iptables

Discussion in 'Linux Networking' started by lvl1s7a, Jan 10, 2012.

  1. lvl1s7a

    lvl1s7a Guest

    Hi Experts;

    I want to find the right iptables commands combination to address the following need:

    - NEs are NATed thru the linux box (using iptables) towards the WAN cloud, where the NTP servers are situated.
    - In order to achieve redundancy, the NTP Servers are in a load balancing cluster with one virtual IP address (
    - The problem is that when the NEs request for NTP updates using the, the NTP response is received from one of the actual IP addresses (.200, .230 .240).


    The iptables is not allowing this flow, which is normal since the requested vs responding address are not the same ( vs :

    (Log in to hide this advertisement)

    Request : UDP ---> (this is Before NAT, of course after NAT the source is
    Response: UDP ---> (Response to the WAN address)

    I'm wondering if there is any way to let iptables establish the UDP flow only based on the (s-port/d-port) regardless of the IP addresses, and execute the NAT back to

    the LAN based on that.

    UDP/NTP is just an example, almost all the needed services are setup in the same way (load balancing in Cluster).

    View attachment 69

    Appreciate your help !

    Thanks & Regards

    Attached Files:

  2. I might suggest using ipvsadm/keepalived (in masq mode) for the load balancing instead. They are especially tailored for HTTP load balancing, but are flexible enough to load balance most any type of service. In this way, you'll get the responses back from the vip and not the real backend ip, and you can have (more flexible) health checking for bringing backend servers in and out of the pool.

Share This Page