|
Hello list,
I'm an lvs newbie having great fun playing with my new tools. I'm thinking
about implementing an lvs-DR solution for a contract client and as such,
decided to set up an lvs-NAT on my home network to learn the ropes.
My problem is that only the first few connections made to the LVS are
permitted to pass through. All subsequent connections seem to be dropped,
despite my explicit iptables ACCEPT rules and LOG files that confirm the
acceptance.
A concise example is when I attempt to access my http lvs webcluster at:
http://twogears.com
I go to anonymizer.com and http to myself. The request makes its way to my
first real server, who returns the requested apache index.html properly. When
the client requests connections to transfer the 5 images on that page, my lvs
director drops the last 3 requests unexplainably (to me)! I can see and LOG
all the inbound connections and explicitly ACCEPT them with iptables but it
seems as if lvs is still dropping the last three. In addition, I explicitly
schedule with weighted round robin, but all the hits seem to go to the same
box.
Here's my firewall/load balancing script for you kind folk who would like
to help:
# Flush all
iptables -F
ipvsadm --clear
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
# Get current internet IP
MYIP=$(ifconfig eth0 | grep inet | cut -f 2 -d ":" | cut -f 1 -d " ")
echo FIREWALLING for $MYIP
echo -n "Loading NAT module ..."; modprobe iptable_nat; echo " done."
# Turn on NAT for inside LAN out
iptables -t nat -A POSTROUTING -s 10.0.1.0/24 -d ! 10.0.1.0/24 -o eth0 -j
MASQUERADE
if [ $1 -a $1 == "drop" ]
then
# Drop your pants
iptables -P INPUT -j ACCEPT
else
# Get current internet IP
MYIP=$(ifconfig eth0 | grep inet | cut -f 2 -d ":" | cut -f 1 -d " ")
# Load all needed modules.
echo -n "Loading LOGS ..."; modprobe ipt_LOG; echo " done."
echo -n "Loading connection tracking ..."; modprobe ip_conntrack; echo "
done."
echo -n "Loading Limits ..."; modprobe ipt_limit; echo " done."
echo -n "Loading State tracking ..."; modprobe ipt_state; echo " done."
echo -n "Loading Marks ..."; modprobe ipt_mark; echo " done."
echo -n "Loading Reject ..."; modprobe ipt_REJECT; echo " done."
echo -n "Loading Virtual Server ..."; modprobe ip_vs; echo " done."
# Turn on IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# Allow all traffic from inside trusted hosts
iptables -A INPUT -i eth1 -d 10.0.1.1 -s 10.0.1.0/24 -j ACCEPT
# Don't be crazy, allow loopback traffic
iptables -A INPUT -d 127.0.0.1 -j ACCEPT
### HTTP CLUSTER ###
# Allow all on port 80
iptables -A INPUT -i eth0 -p tcp -d $MYIP/32 --destination-port 80 -j LOG
--log-prefix " http--> "
iptables -A INPUT -i eth0 -p tcp -d $MYIP/32 --destination-port 80 -j ACCEPT
# Balance HTTP load over these servers
ipvsadm -A -t $MYIP:80 -s wrr
ipvsadm -a -t $MYIP:80 -R 10.0.1.4:80 -w 1 -m --persistent 360
ipvsadm -a -t $MYIP:80 -R 10.0.1.6:80 -w 1 -m --persistent 360
### HTTPS CLUSTER ###
# Allow all on port 443
iptables -A INPUT -i eth0 -p tcp -d $MYIP/32 --destination-port 443 -j
ACCEPT
# Balance HTTPS load over these servers
ipvsadm -A -t $MYIP:443 -s wrr
ipvsadm -a -t $MYIP:443 -R 10.0.1.6:443 -w 1 -m --persistent 360
fi
### EOF ###
Director essentials:
-eth0 outside interface /w internet IP
-eth1 10.0.1.1
I've searched the web, the man pages, my brain, recompiled kernels
(uselessly) and even tried installing piranha, all to no avail. Any help
would be greatly, greatly appreciated!
--
<=====================================>
Bryan Mongeau
Lead Developer, Director
eEvolved Real-Time Technologies Inc.
Website: http://www.eevolved.com
Public key: http://eevolved.com/bcm.pk
<=====================================>
"The further the spiritual evolution of mankind advances, the more certain it
seems to me that the path to genuine religiosity does not lie through the
fear of life, and the fear of death, and blind faith, but through striving
after rational knowledge."-- Einstein
|
