Just a brief guide on how to enable SNAT in LVS with iptables.

Firstly this is all very bleeding edge and as yet has not made it into the current kernel it should be in 2.6.36 with a new version of iptables released not long after that. But for those of you far to eager to use this already here is what you do. N.B I will also go through the process of enabling it so if your reading this and 2.6.36 is available as is the latest version of iptables you can probably skip the start of this article.

The patches are available as part of the LVS list, Which Should be available here http://archive.linuxvirtualserver.org/html/lvs-devel/2010-07/msg00033.html

There are 4 patches in all that you need to implement. There is also a Git repository available (at the time of writing) to get a patched version of 2.6.35-rc1. Firstly you need to install GIT


git clone -b full-nat 

For instructions on building your kernel see http://howtoforge.com/kernel_compilation_centos_p2 which is the method that I used, feel free to use your own should you require.

When you come to your make menuconfig section please make sure you enable LVS and Netfilter making sure you enable  ipvs match support which can be found ->
Networking support
Networking Options
Network packet filtering framework (Netfilter)
Core Netfilter Configuration
"ipvs" match support


make all
make modules_install
make install

and reboot into your new kernel version.

Once you have that running you must make sure that the xt_ipvs module was installed so a quick search

find / -name xt_ipvs.*

should turn it up in your /lib/modules folder if its not there you need to check that it was enabled correctly in your kernel config.

Right now thats done time to rebuild iptables -

for this your looking for the patch "[patch v2.7 4/4] libxt_ipvs: user-space lib for netfilter matcher xt_ipvs"

which will patch iptables

I downloaded their latest version http://www.netfilter.org/projects/iptables/files/iptables-1.4.8.tar.bz2

and untared it to /usr/src then copied the patch into the iptables-1.4.8 direcory then patched it.

Then ran a

make install

after all that you should be ready to go!

Im going to detail my setup -

The Loadbalancer

IPVS 1.2.1
iptables 1.4.8 --patched
kernel - 2.6.35-rc1 --patched

eth0 ip
eth0:45 (I would have used eth1 but couldn't find a test box spare with 2 network cards in)

My test box -


The Webserver -

Commands to setup ipvs and iptables


ipvsadm -A -t -s rr
ipvsadm -a -t -r -m


/usr/local/sbin/iptables -t nat -A POSTROUTING -m ipvs --vaddr --vport 80 -j SNAT --to-source

iptables shows -

iptables -t nat -L
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

target     prot opt source               destination
SNAT       all  --  anywhere             anywhere            vaddr vport 80 to:

ipvsadm shows -

ipvsadm -ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port           Forward Weight ActiveConn InActConn
TCP rr
->              Masq    1      0          0

Connected to the IP from my browser page loaded fine and you can see in the apache log -

" - - [21/Jul/2010:08:44:00 -0400] "GET / HTTP/1.1" 200 82"

If all that worked you should be ready to go! HAPPY SNATTING (is that even a word, ah well it is now).