|
Hi all,
I'm trying to create a 'virtual-firewall' using linuxvirtualserver with
the following config:
FW1 - r2d2 - DIP - 192.168.1.29
FW2 - c3po - - 192.168.1.15
LVS - - 192.168.1.30
LAN
|
|
-----------
| |
r2d2 c3po
FW1 FW2
| |
Internet Internet
In a first step I'm using the FW1 as DIP and FW1 and FW2 as
real-servers. I'm trying to configure it following an apendix in the
LinuxVirtualServer FAQ, but I have no luck.
I'm not using the rc.lvs_dr, 'cos it doesn't match the Firewall aproach
I need, but using commands from it I have created a shell script as
follows:
-------------8<--------------------------------------------
#
# IPVS link up script
#
#
# Enabling ICMP Redirect requests
#
echo "1" > /proc/sys/net/ipv4/conf/all/send_redirects
echo "1" > /proc/sys/net/ipv4/conf/default/send_redirects
echo "1" > /proc/sys/net/ipv4/conf/eth0/send_redirects
#
# Enabling eth0:30
#
/sbin/ifconfig eth0:30 192.168.1.30 broadcast lvs netmask
255.255.255.255
/sbin/route add -host 192.168.1.30 dev eth0:30
#
# Mask == 1
#
iptables -t mangle -A PREROUTING -i eth0 -p tcp -s 192.168.1.0/24 -j
MARK --set-mark 1
# Now, set up a virtual service to act on the marked packets
ipvsadm -D -f 1
ipvsadm -d -f 1 -r 192.168.1.15
ipvsadm -d -f 1 -r 192.168.1.29
ipvsadm -A -f 1 -s rr
ipvsadm -a -f 1 -r 192.168.1.15 -g -w 1
ipvsadm -a -f 1 -r 192.168.1.29 -g -w 1
-------------8<--------------------------------------------
I have the 192.168.1.30 as LVS, using 192.168.15 and 192.168.1.29 as
real-servers, aka firewalls. with a Round-Robin scheduler and I have
added the mangle rule to mark with 0x1 the packets from my Intranet.
The ipvsadm output is:
-------------8<--------------------------------------------
IP Virtual Server version 1.0.0 (size=32768)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
FWM 1 rr
-> r2d2.gaia:0 Local 1 0 0
-> c3po.gaia:0 Route 1 0 0
-------------8<--------------------------------------------
In a testing client maquine I get the next routing table:
-------------8<--------------------------------------------
jllaurado@jllaurado:~$ sudo route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0
eth0
0.0.0.0 192.168.1.30 0.0.0.0 UG 0 0 0
eth0
-------------8<--------------------------------------------
Well, my problem is I can't get connections to the routed firewall, all
the connections are trough the FW1 (the DIP), and the ipvsadm shows 0
conns.
What I'm doing wrong? It's this use correct of LinuxVirtualServer or
it's well implemented? Or I'm fool and I don't understand anything about
this software? (I know I'm not an expert :-)
TIA.
--
_________________________________________________________
Josep Llauradó Selvas darlock@xxxxxxxxx
Linux Registered User #153481
The only "intuitive" interface is the nipple.
After that, it's all learned.
(in comp.os.linux.misc, on X interfaces.)
_________________________________________________________
|
