Re: Problems with LVS-NAT and direct routing to network behind LVS.....

To: Julian Anastasov <ja@xxxxxx>
Subject: Re: Problems with LVS-NAT and direct routing to network behind LVS.....
Cc: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
From: Pawel Kisiel <tecman@xxxxxxxxxxxxxxxxxxxx>
Date: Thu, 30 Aug 2001 01:09:27 +0200 (CEST)
On Wed, 29 Aug 2001, Julian Anastasov wrote:

>       Hello,
> On Wed, 29 Aug 2001, Pawel Kisiel wrote:
> >      I have the direct routing from to
> > and 1 real IP on LVS-NAT. I have mapped port using ipvsadm
>       OK, the real question is Why you need NAT? Forget it. Run
> LVS-DR instead. With little settings (you are iptables fan) you
> can hide your real servers for the other traffic and just to
> allow access to the served ports. Then you will need the patch
> that allows the LVS box to be a gateway for the replies from
> the real servers, you need forward_shared-2.4.5-1.diff from
        so You mean that to use iptables to DNAT to the internal machines?
If it is so.... I had problems with DNAT on didn't
forwarded to the internal should do......
I was doing sth like that:
iptables -t nat -A PREROUTING -p tcp -d world_ip --dport 80 -j \
DNAT --to ?!?! is it good?  I think it should be good 
but it didn't worked :((
        Does this patch solve problems with arps in LVS-DR mode ?
My machines that are hidden are linux boxes and will it work??
        I know that with LVS-NAT id doesn't matter what kind of OS'es I'm
 using but in the other ones it does!...... 

> This patch allows the director to forward packets with local source (VIP)
> when they come from the real servers (the input device).

        My real server will still have private range of ip addresess?
Am I right ?

> Then you will have identical setup with LVS-NAT. I assume you filter the
> spoofed packets before the LVS box. If the LVS box is your firewall
> you have to use two switched hubs, to split the internal from the external
> networks. BTW, this is true even without using this patch. This patch
> does not require higher level of security compared to the normal DR
> or NAT setups.

The only change to the configuration will be to change the -m to -g ?? 
>       There are so many ways to break the things. Really, I don't
> know what you have done. You have first -j MASQ for -s port 80
> for example and then -j ACCEPT for -s How you control
> when to SNAT and when not to SNAT between these private networks. The
> LVS-NAT methos you are using requires the packets to be NAT-ed in both
> directions. If you want to check everything you can start with
> tcpdump outputs on all hosts:
iptables -A FORWARD -s -d -j ACCEPT
iptables -A FORWARD -s -d -j ACCEPT

iptables -t nat -A POSTROUTING -s -d ! -j SNAT
--to world_ips

        Correct me if I'm wrong with these roules.....?

Pawel Kisiel

<Prev in Thread] Current Thread [Next in Thread>