top button
Flag Notify
    Connect to us
      Site Registration

Site Registration

Round-Robin new http connections to different ports using IPTABLE

+1 vote
1,128 views

I have a situation where I want to round-robin new http connections to different ports, but i'm finding that the following is resulting in a significant amount "falling through" to my catch-all on port 9000, rather than being evenly distributed across 8080-8084.

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -P INPUT ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -m statistic --mode nth --every 5 --packet 0 -j REDIRECT --to-port 8080
iptables -t nat -A PREROUTING -p tcp --dport 80 -m statistic --mode nth --every 5 --packet 1 -j REDIRECT --to-port 8081
iptables -t nat -A PREROUTING -p tcp --dport 80 -m statistic --mode nth --every 5 --packet 2 -j REDIRECT --to-port 8082
iptables -t nat -A PREROUTING -p tcp --dport 80 -m statistic --mode nth --every 5 --packet 3 -j REDIRECT --to-port 8083
iptables -t nat -A PREROUTING -p tcp --dport 80 -m statistic --mode nth --every 5 --packet 4 -j REDIRECT --to-port 8084
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 9000

it's about 80-20, where 80% are evenly distributed amongst 8080-8084 and 20% are winding up on 9000.

I'd prefer 100% evenly distributed on 8080-8084 and none on 9000. I put 9000 there as a catch-all "hack" because i found connections were failing to be caught by the 8080-8084 range.

posted Oct 1, 2013 by Jai Prakash

Share this question
Facebook Share Button Twitter Share Button LinkedIn Share Button

1 Answer

+1 vote

The stats filters work at a rule level, so you need to decrease the every count by 1 each time and have packet = 0.The first rule is called 1 in 5 times, so the second rule only needs to be called 1 in 4, catches most people out unfortunately.

giving

iptables -t nat -A PREROUTING -p tcp --dport 80 -m statistic --mode nth --every 5 --packet 0 -j REDIRECT --to-port 8080
iptables -t nat -A PREROUTING -p tcp --dport 80 -m statistic --mode nth --every 4 --packet 0 -j REDIRECT --to-port 8081
iptables -t nat -A PREROUTING -p tcp --dport 80 -m statistic --mode nth --every 3 --packet 0 -j REDIRECT --to-port 8082
and so on
answer Oct 1, 2013 by Jagan Mishra
Similar Questions
+2 votes

I am trying to limit the amount of connections/sec and requests/sec my server sends to a single destination IP. At the same time I am looking to account/poll periodically what those values are for statistics .

Is there a simple way I can accomplish this with iptables or some other feature in the linux kernel?

+1 vote

After testing and looking at the kernel source, I realize that this mapping:

iptables -t nat -I PREROUTING -p tcp -m tcp --dport 30000:40000 -j DNAT --to [local_ip]:10000-2000

Doesn't do a one-to-one port mapping
e.g.:

100.0.0.1:30000 > 192.168.0.5:10000
100.0.0.1.30001 > 192.168.0.5:10001
100.0.0.1.30002 > 192.168.0.5:10002

I was wondering if it was possible to do the 1:1 port range forwarding to different port ranges or if you have to use individual rules.

+5 votes

I want to forward all http traffic coming in from a perticular IP at local port 8080, to 2 particular IP Addresses (port 80). Is it enough to prepend the following in my IPtable

-A PREROUTING -s xx.xx.xx.xx/24 -p tcp --dport 8080 -j DNAT --to-destination xxx.xxx.xxx.xxx:80
-A PREROUTING -s xx.xx.xx.xx/24 -p tcp --dport 8080 -j DNAT --to-destination yyy.yyy.yyy.yyy:80

0 votes

I am trying to queue the packets of a process so I can use libnetfilter_queue to modify them.

I read in the documentation that I should use --pid-owner processid to filter packets of a process and iptables -I

  -j NFQUEUE --queue-num  to add them to the queue.

I read the documentation but I am still confused how to do this. If any one can help me to understand this command I would appreciate it a lot.

+2 votes

I have an application that is listening only on the loopback by default, on port 8100.
Is there any way i can use iptables to make this accessible from outside?

...