|
On Fri, Jul 26, 2002 at 09:03:47AM +0700, Le Van Thanh wrote:
> Dear Horm and list,
>
> Again arp problems!
>
> Suppose Now I have a realserver with real ip=10.70.75.3. And I wish that this
> realserver provide http service for the director with virtual
> address=10.70.75.4 (using LVS/DR).
>
> To prevent this realserver answer arp, I use the following iptables command:
> iptables -t nat -A PREROUTING -p tcp -d 10.70.75.4 --dport 80 -j REDIRECT
> --to-port 80
>
> I think that if I have already run this command, I could not use http
> service directly in this realserver. It means that if on my LAN
> network there is only ONE this realserver having the virtual IP
> address 10.70.75.4, I CAN NOT access any webpages from this by typing
> "http://10.70.75.4/"; in the address bar of IE or Netscape in any
> computer on the Lan. But in fact, I could . So I think that I must
> have not succedded in configuring iptables to solve arp problem as
> Horm described.
>
> Can anyone please tell me how to overcome this?
Hi Le,
Here are a couple of things that may help you to overcome your problems.
1. You can check what iptables commands are in effect in the "nat" table
on the real servers (or any host) by running:
iptables -t nat -Lnv
2. If you are using the iptables REDIRECT method as you describe above
then you should _not_ have an ip alias on the loopback interface
(or any other interface) on the real server for the VIP (10.70.75.4).
3. I belive that Red Hat ships with a kernel that is patched such that
the REDIRECT method will work. However, it is my understanding and
experience that in general this method does not work with 2.4.x
kernels.
4. If you are unable to get this working I would strongly recommend
applying the "hidden" interface patches to a vanila kernel from
kernel.org. You can find the hidden patches on
www.linuxvirtualserver.org and information on how they can
be used in conjunction with ip aliases on the loopback interface
to resolve the ARP problem.
--
Horms
|
