How to configure Full Cone NAT with Iptables

L

lvl1s7a

Guest
Hi Experts;

I want to find the right iptables commands combination to address the following need:

- NEs are NATed thru the linux box (using iptables) towards the WAN cloud, where the NTP servers are situated.
- In order to achieve redundancy, the NTP Servers are in a load balancing cluster with one virtual IP address (172.30.4.245)
- The problem is that when the NEs request for NTP updates using the 172.30.4.245, the NTP response is received from one of the actual IP addresses (.200, .230 .240).

Example:

The iptables is not allowing this flow, which is normal since the requested vs responding address are not the same (172.30.4.245 vs 172.30.4.230) :

Request : UDP 10.68.2.11:23445 ---> 172.30.4.245:123 (this is Before NAT, of course after NAT the source is 10.23.14.72)
Response: UDP 172.30.4.230:123 ---> 10.23.14.72:23445 (Response to the WAN address)

I'm wondering if there is any way to let iptables establish the UDP flow only based on the (s-port/d-port) regardless of the IP addresses, and execute the NAT back to

the LAN based on that.

UDP/NTP is just an example, almost all the needed services are setup in the same way (load balancing in Cluster).

View attachment 69

Appreciate your help !

Thanks & Regards
lvl1s7a
 

Attachments



S

Stefano Messicano

Guest
I might suggest using ipvsadm/keepalived (in masq mode) for the load balancing instead. They are especially tailored for HTTP load balancing, but are flexible enough to load balance most any type of service. In this way, you'll get the responses back from the vip and not the real backend ip, and you can have (more flexible) health checking for bringing backend servers in and out of the pool.
 


Latest posts

Top