|
Hello,
On Tue, 16 Oct 2001, Djamil ESSAISSI wrote:
> :)> :)director# tcpdump -ln -i INDEV host CIP
The device where the request packet comes from client
The eth device where the IPIP packets go from director
to real server (may be eth0 again). If you have only one NIC everywhere
then replace them with eth0.
> :) Do you have the tcpdump on OUTDEV? Your config looks ok but
> :)I'm still not sure where the traffic stops. You provide only trace
> :)from one point which is obvious to work.
>
> (*** just in case i'm wrong what do u mean by INDEV OUTDEV ?)
eth0
>
> :)
> :)> :)real server# tcpdump -ln -i IN_ETH host DIP
> :)> :)real server# tcpdump -ln -i tunl0 host CIP
> :)> :)real server# tcpdump -ln -i OUT_DEV host CIP
> :)> :)
> :)
> (*** here too)
>
> i've sent the only tcpdumps that actually got something !
IPVS should generate IPIP packet:
director# tcpdump -ln -i OUTDEV host RIP
Then the IPIP packet from IPVS with saddr=DIP daddr=RIP
is not sent. Check you firewall.
If in doubt, check LVS-TUN on LAN. Then you will see how
the packets look. Then again use remote RIP.
> :) On the real server use:
> :)
> :)echo 1 > /proc/sys/net/ipv4/ip_forward
> :)echo 1 > /proc/sys/net/ipv4/conf/all/hidden
> :)echo 1 > /proc/sys/net/ipv4/conf/lo/hidden
> :)ifconfig lo:153 212.43.218.153 netmask 255.255.255.255 up
> :)
> :)# insert it if it is compiled as module:
> :)insmod ipip
> :)ifconfig tunl0 up
> :)
>
> now this is not like docs/examples say !
You don't believe me :)
It is in the html you posted first time:
http://www.linuxvirtualserver.org/VS-IPTunneling.html
There is similar example with adding VIP to dummy0 device.
Here is the exact example:
---------------------------------------------------------
echo 1 > /proc/sys/net/ipv4/ip_forward
# insert it if it is compiled as module
insmod ipip
ifconfig tunl0 up
ifconfig dummy0 up
echo 1 > /proc/sys/net/ipv4/conf/all/hidden
echo 1 > /proc/sys/net/ipv4/conf/dummy0/hidden
ifconfig dummy0:0 172.26.20.110 up
route add -host 172.26.20.110 dev dummy0:0
ifconfig dummy0:1 <Another-VIP> up
---------------------------------------------------------
I only changed it for you. As you see, there is no IPs on
tunl0. The kernel sends the IPIP traffic detected on eth0 for
decapsulation in tunl0 and then the sockets receive it from tunl0.
> it doenst say about ifconfig lo, nor ifconfig tunl0 up without ip ?!
>
> and the hiding should not apply to my config ?!
I already said you why it can apply: The RS's gateway may
not answer ARP "who has RSGW tell VIP". But it should if the normal
traffic with saddr=VIP is passed.
> <<--i'm not arguing you but just telling you that i'm getting confused ! :)
> -->>
>
> :)To check whether packets with src=VIP exit from your RS's gateway use
> :)something like:
> :)
> :)traceroute -n -s 212.43.218.153 192.252.175.157
> :)
>
> looks like we spoted "a" problem , this doesnt work , i'm gonne have to play
> again with the firewall !
Yes, you will not see that the traceroute prints the hops but
with tcpdump you should detect whether the traceroute's packets reach
the client. Wait traceroute to send packets with enough big IP TTL (30
lines with stars) and at the same time run tcpdump on the client:
client# tcpdump -n host VIP
If the client sees packets in the form Proto=UDP saddr=VIP
daddr=CIP, then your RS's ISP allows spoofed traffic with src=VIP.
You already know that the client sends all traffic to VIP to the
director, so you should not expect the ICMP replies to from client to
reach the real server and to make your traceroute happy.
That's all you need to check. Now you can reread the thread.
Then we can talk again for any LVS-TUN settings.
> yup thank god we dont really depend on an ISP, we're hoocked to the bone in a
> datacenter ... we control all our stuff ...so it's a matter of some time ....
>
> thank you again for the help ....
>
> i'm following this mailing list very closely as i discover how privilieged we
> are in doing this good stuff.
>
> grutz.
>
> Dj
Regards
--
Julian Anastasov <ja@xxxxxx>
|
