Can I use multiport option for load balancing through iptables?

Question

I am trying to load balance using iptables.

My rules look like below:

iptables -t nat -A PREROUTING -p tcp --dport 5000 -m statistic --mode nth --every 6 --packet 0 -j REDIRECT --to-port 5890

iptables -t nat -A PREROUTING -p tcp --dport 5000 -m statistic --mode nth --every 5 --packet 0 -j REDIRECT --to-port 5891

.

.

.

iptables -t nat -A PREROUTING -p tcp --dport 5000 -m statistic --mode nth --every 1 --packet 0 -j REDIRECT --to-port 5896

Can I use multiport option to consolidate the six rules into a single one?

Answer 1

The multiport match is used as selector. There's no multiport option for the TARGET REDIRECT. If you try to put a port range in the --to-ports option of REDIRECT, only the first port in the range will be chosen. Same if you (manage to) use -j DNAT --to-destination rule instead of REDIRECT. There won't be round-robin used.

The method you're currently using with iptables is certainly the way to go. The only minor optimization I can see is that you don't need -m statistic --mode nth --every 1 --packet 0 on the last rule, because it always matches, and that --packet defaults to 0 so can be omitted everywhere.

Note: an other possible method would be by using ipvs (aka lvs) but it's certainly overkill especially for a local redirection, if at all possible for this case.