Re: IP affinity with netfilter and NAT

[Pascal Hambourg <pascal.mail@plouf.fr.eu.org>]

Hello,

Pablo a écrit :
>             There are any secret to configure IP affinity with netfilter
> when I do SNAT with a pool of publics IPs so not every new conection from de
> some host get a different source IP ??

You can use the SAME target for this purpose. Description here :

http://www.netfilter.org/projects/patch-o-matic/pom-submitted.html#pom-submitted-SAME

It was included in the patch-o-matic-ng until patch-o-matic-ng-20050918 
but removed in later releases, maybe because of the lack of a maintainer.

Note : since kernel 2.6.11, iptables is supposed to NAT to the same 
address in the pool for a given {source, destination} pair. From 
ChangeLog-2.6.11 :

" [PATCH] Remove Randomness in Selecting NAT IP Address

  We currently choose a "random" IP address to NAT to, where we have a
  range.  Martin Josefsson pointed out that he uses the SAME target in
  iptables because changing IP addresses breaks Internet banking sites
  (among others) which assume the customer will be coming from a
  consistent IP address.

  In fact, we spend a fair bit of effort trying to balance the number of
  connections we NAT to each IP address.  We can come pretty damn close
  just hashing the source and destination IP addresses, and it has the
  consistency property which is so desirable, as well as being faster."

Disclaimer : I have not checked this feature.