|
Hello,
On Wed, 31 Jan 2001, Joseph Mack wrote:
> Julian Anastasov wrote:
> >
>
> I need to clarify some nomenclature here.
> In an LVS, which direction is the masquerading,
> the inward or outward direction?
from client to NAT-ed real server we call it demasquerading
from NAT-ed real server to client is masquerading
from client to DR real server is ?forwarding?
from client to TUN real server is ?tunneling?
> what's the other direction called? reverse masquerading?
Yes, reverse or de-masquerading
> > - the MASQ code sees the first packet in the FORWARD chain when
> > there is a -j MASQ target in the ipchains rule.
> > The routing selects the maddr.
In fact, the masq code calls the routing to select maddr.
> this is the outward going packet right?
> this is for LVS or a machine behind a regular NAT box or both?
This is for normal NAT. LVS does not create connections
in the outward direction.
> >If the connection already exists the packets are masqueraded.
>
> what about a machine behind a NAT box initiating a telnet session?
> Doesn't its first outward packet (the telnet connect request) have to be
> masqueraded?
Yes, these packets are always masqueraded if the ipchains rule
delivers these packets to the masquerading. And this can be done only
in the FORWARD chain. The demasqueraded packets walk the forwarding but
not the forwarding firewall chain. The forwarding firewall chain is
traversed only for outward (masqueraded) packets.
> > ip route add 10.0.0.0/24 brd + dev eth0 via uplink1 src SRCIP1
> > ip route add 10.0.1.0/24 brd + dev eth0 via uplink2 src SRCIP2
> >
> > Source routing can't be used to select the maddr for the
> > connections initiated from the internal hosts. It will be ignored.
>
> I don't understand this last statement. You look like you're showing
> an example which depends on the src IP, but then you say the source
> will be ignored.
Source routing is when we use "from SOURCE" in the ip
rule. By this way we match the packet source address. The "src"
option defines the default source address for the route. Here is
one example:
ip rule add prio 100 from 192.168.0.1 table 100
ip route add table 100 10.0.0.1 via 192.168.1.2 dev eth0 src 192.168.1.3
> > In this example, the SRCIP1 and SRCIP2 will be selected
> > according to the destination. This is for connections initiated from
> > the internal servers. LVS always assigns VIP as maddr.
>
> eth0 has SRCIP1 and SRCIP2 on it (presumably one is an alias?)
The "alias" in 2.2+ is only an ifconfig magic. In the "ip"
command they are called "labels". In fact, they are only names.
We can attach many addresses to one interface. We can even attach
addresses with different priorities (ip addr add 10.0.0.1/24 dev lo
scope 1) and by this way to reorder them by this priority and not
by the order based on the creation time.
> thanks
>
> Joe
Regards
--
Julian Anastasov <ja@xxxxxx>
|
