SuSEfirewall2 / IPTables and load balance outbound connections across multiple IPs

I am running SuSEfirewall2 and I want to run a command like this:
iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 443 -j SNAT --to 86.58.111.131-86.58.111.189

This command don’t have any effect…

And this is wrong:
iptables -t nat -A forward_ext -o eth0 -p tcp --dport 443 -j SNAT --to 86.58.111.131-86.58.111.189

Can someone help? Or come with a suggestion… :slight_smile:

Please do not only post tyour conclusions, but show why you came to those conclusions. E.g. when the above statement has no effect, then show a list of your IP tables, so we all can see it isn’t there.

Again, you post a conclusion. Should we confirm that it is wrong? Do you think it should not be wrong? Or is there an error message you did not show?

Do not forget that a good problem descriptions has three items;

  • what did you do;
  • what did you expect to happen;
  • what happened instead.

No need to make it a bullet list or in the same sequence, but the information must be there. Else you press your potential helpers to make all sorts of assumptions and guesses, which will lead top confusion.

Without being able to answer immediately,
Just commenting that up until a couple years ago, this was not an easy thing to set up and required consulting the generally official “How To”

http://lartc.org/

But,
I remember sometime probably between a year to 3 years ago in these forums there is a Forum thread which IIRC was only between that poster and myself that described a really simple way to do this… I can’t seem to find it at the moment. It might have had to do with defining a system network policy (has nothing to do with permissions or Network Manager), it was a part of the standard TCP/IP stack. Am pretty sure that one thread is the only time this method was ever described… He couldn’t get it to work at first (is why he posted), I set up on my own machine and got it to work with almost no changes to what he originally posted. I don’t remember for sure if the solution was a network policy or an iptables configuration.

If that thread can be found or the right combination of keywords used in an Internet search, I’m sure this can be found.

Note that really simple methods like defining multiple routing tables, perhaps with different routing priorities does not work because TCP/IP is a 2-way protocol and responses for that session must always be returned through the same network interface, else you’ll have lost packets and other related errors.

TSU-

Skimming some documentation,
I cam across the following… Although the documentation is for firewalld, it describes a filtering rule that by default invalidates what you are trying to do. You should check for a similar iptables rule, it it exists and is set the same way, you may have to modify to enable your modifications. Inspect your rules for anything that might say “log denied”

http://www.firewalld.org/documentation/man-pages/firewalld.conf.html

TSU