Load Balancing under Linux (suggestion)

Duston, Hal hdusto01 at sprintspectrum.com
Fri Apr 26 19:48:42 CDT 2002 

Gerald Combs [mailto:gerald at ethereal.com] wrote:
>
> On Fri, 26 Apr 2002, david nicol wrote:
>
> > So we know from experience that the connections already
> > tracked by ip_conntrack will not survive a change in rules?
> > That's really the question I'm asking.  I had the impression
> > that the nat table was responsible for setting up the
> > connection tracking stuff and then the connection tracking
> > stuff operates on non-SYN packets without consulting the rules.
>
> Thanks - I didn't know such a thing as "ip_conntrack" existed
> in the ipchains code.  In order for this to work, ip_conntrack
> would have to track the inside address/port, border address/port
> or interface, and destination address/port in its translation
> table.  I glanced through the ip_conntrack code on lxr.linux.no
> and didn't find any signs of it doing that - it only appears to
> track source and destination information.  I may not have looked
> hard enough, however.
>
> Could someone who has a system running iptables with NAT cat
> /proc/net/ip_conntrack and tell me what information is displayed?

hald at ameen:/proc/net$ cat ip_conntrack
tcp      6 431968 ESTABLISHED          src=yy.yy.yy.yy dst=xx.xx.xx.xx sport=48886 dport=22         
 src=192.168.1.7 dst=yy.yy.yy.yy sport=22 dport=48886          [ASSURED] use=1
udp      17 166          src=192.168.1.1 dst=192.168.1.1 sport=2082 dport=53          
src=192.168.1.1 dst=192.168.1.1 sport=53 dport=2082          [ASSURED] use=1
tcp      6 431999 ESTABLISHED          src=192.168.1.7 dst=192.168.1.1 sport=50972 dport=824        
  src=192.168.1.1 dst=192.168.1.7 sport=824 dport=50972          [ASSURED] use=1
udp      17 154          src=192.168.1.7 dst=192.168.1.1 sport=33207 dport=53          
src=192.168.1.1 dst=192.168.1.7 sport=53 dport=33207          [ASSURED] use=1
tcp      6 431980 ESTABLISHED          src=192.168.1.7 dst=zz.zz.zz.zz sport=50864 dport=6667       
   src=zz.zz.zz.zz dst=xx.xx.xx.xx sport=6667 dport=50864          [ASSURED] use=1
tcp      6 431993 ESTABLISHED          src=192.168.1.7 dst=aa.aa.aa.aa sport=50865 dport=6667       
   src=aa.aa.aa.aa dst=xx.xx.xx.xx sport=6667 dport=50865          [ASSURED] use=1
tcp      6 431999 ESTABLISHED          src=yy.yy.yy.yy dst=xx.xx.xx.xx sport=39390 dport=22         
 src=192.168.1.7 dst=yy.yy.yy.yy sport=22 dport=39390          [ASSURED] use=1

Notes:
lines broken by me.
xx.xx.xx.xx == ISP assigned IP address.
yy.yy.yy.yy == Firewall of public company.
zz.zz.zz.zz == OPN Irc server
aa.aa.aa.aa == Other IRC server

Hal Duston

More information about the Kclug mailing list