Re: Problems with LVS-NAT and direct routing to network behind LVS.....

To: Pawel Kisiel <tecman@xxxxxxxxxxxxxxxxxxxx>
Subject: Re: Problems with LVS-NAT and direct routing to network behind LVS.....
Cc: <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
From: Julian Anastasov <ja@xxxxxx>
Date: Wed, 29 Aug 2001 23:39:17 +0000 (GMT)

On Wed, 29 Aug 2001, Pawel Kisiel wrote:

>      I have the direct routing from to
> and 1 real IP on LVS-NAT. I have mapped port using ipvsadm

        OK, the real question is Why you need NAT? Forget it. Run
LVS-DR instead. With little settings (you are iptables fan) you
can hide your real servers for the other traffic and just to
allow access to the served ports. Then you will need the patch
that allows the LVS box to be a gateway for the replies from
the real servers, you need forward_shared-2.4.5-1.diff from

set /proc/.../conf/all/forward_shared and internal_device/forward_shared
to 1

This patch allows the director to forward packets with local source (VIP)
when they come from the real servers (the input device).

Then you will have identical setup with LVS-NAT. I assume you filter the
spoofed packets before the LVS box. If the LVS box is your firewall
you have to use two switched hubs, to split the internal from the external
networks. BTW, this is true even without using this patch. This patch
does not require higher level of security compared to the normal DR
or NAT setups.

Pros: when the method is LVS-DR you can serve clients from local
and remote networks.

Cons: many, I don't know your setup and from the information provided
nobody can know. The tricky part is what iptables NAT rules you
are using, the routes, may be the real servers settings prefer NAT
method, etc.

> for example 21,22,25, and so on.... to the internal network
> machines (real servers' network). I can get to the machines behind
> the LVS box on these ports from internet, but when I'm trying
> to get through the direct routing to the real servers from
> private network, all of the mapped ports are not available...
>       What I figured out is that I have waiting connections
> on real servers from my private network (netstat -na on real server)
> but the returning packets from real servers through the LVS to my
> privvate network are somehow blocked on LVS.....

        There are so many ways to break the things. Really, I don't
know what you have done. You have first -j MASQ for -s port 80
for example and then -j ACCEPT for -s How you control
when to SNAT and when not to SNAT between these private networks. The
LVS-NAT methos you are using requires the packets to be NAT-ed in both
directions. If you want to check everything you can start with
tcpdump outputs on all hosts:

tcpdump -len host CLIENT_IP

then check what is wrong: dropped packets, not NAT-ed, wrongly NAT-ed, etc.

>       Can anyone solve this problem ???

        It is possible. The HOWTO contains many example setups.

> What I did to get to this hosts on real servers' network on mapped ports
> is to assign one more ip address that isn't mapped on LVS and aftyer that
> I can log in to them........but this complicates the configurations and
> management of the real servers( It's annoying to remember doubled ip
> addresses on these machines.....

        If you can't remember IPs then start DNS :)

> Pawel Kisiel


Julian Anastasov <ja@xxxxxx>

<Prev in Thread] Current Thread [Next in Thread>