LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Redirecting with iptables/DNAT on director with lvs-dr

To: LVS Users Mailing List <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Redirecting with iptables/DNAT on director with lvs-dr
From: djo@xxxxxxxxxxxxxxxxxxxxxx
Date: Mon, 24 Jun 2002 17:48:15 -0700
Here is what my lvs-dr setup looks like:

                       | clients |
                           |
                       | router | (running SNAT)
                           |
                 VIP=192.168.1.110 (eth0, arps)
                           |
                     | director |
                           |
                     DIP=10.1.1.1 (eth1, arps)
                           |
          -------------------------------------
          |                |                  |
   RIP1=10.1.1.2     RIP2=10.1.1.3     RIP3=10.1.1.4 (eth0)
   VIP=192.168.1.110 VIP=192.168.1.110 VIP=192.168.1.110 (all lo:0, can arp)
  | realserver  |   | realserver  |    | realserver  |
          |                |                  |
      (router)          (router)           (router)
          |                |                  |
          ----------------------------------------------> to client

Some incoming traffic from clients needs to bypass the LVS and go directly to 
one or another realserver.  I am doing this by assigning a unique port number 
to each realserver and then using iptables DNAT to redirect accordingly:

server                  port

realserver1             9001
realserver2             9002
realserver3             9003

The catch is this: for logistical reasons I want to run this rule on the 
director, NOT on the router.  So I put this ruleset on the router:

$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 9001 -j DNAT --to 
<director>
$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 9002 -j DNAT --to 
<director>
$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 9003 -j DNAT --to 
<director>

where <director> can be either the VIP or the DIP


On the director I want to run the DNAT redirect:

$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 9001 -j DNAT --to 
realserver1
$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 9002 -j DNAT --to 
realserver2
$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 9003 -j DNAT --to 
realserver3

Yet this is not working.  It does work if I move the last 3 rules onto the 
router.  I am trying to figure out why and if there is a way to have the 
director do the redirecting.

-- 
Daniel O'Neill
Systems Engineer
djoneill@xxxxxxxxxxxxxxxxx
415.644.9600 ext. 238 tel.
415.644.0015 fax


<Prev in Thread] Current Thread [Next in Thread>