Re: LVS Routing Method Question

To:	lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject:	Re: LVS Routing Method Question
Cc:	piranha-list@xxxxxxxxxx, <mack.joseph@xxxxxxx>
From:	"Matthew S. Crocker" <matthew@xxxxxxxxxxx>
Date:	Sat, 14 Dec 2002 16:33:16 -0500 (EST)

On Sat, 14 Dec 2002, pb wrote:

> Matt, and all, 
> 
> I am sorry to write again, however I was re-reading 
> your email below regading use of an IPTABLES rule for
> rewriting the packet IP, as opposed to it being the
> mob of LVS NAT.  The IPTABLES rules I have on my LVS
> hosts are as follows - and I would like to know on
> which host (LVS or real) and WHAT SPECIFIC IPTABLES
> rule you recommend or refer to - please do specify???
> (I think I was a little confused by your statement.)

I am far from an iptables expert but you can attach rules to different 
interfaces and at certain parts of the packet flow.

There are INPUT, OUTPUT, FORWARD, PREROUTING, POSTROUTING tables and a 
couple others (I think).  

Lets say you have one LVS server with 2 ethernet cards (eth0, eth1). 
eth0 is 'outside' using public IP address.
eth0 has the VIP attached to it. (12.34.56.78)

eth1 is 'inside' using private IP address (192.168.1.1)
eth1 is the network with real servers.

lets say you have 3 real server ( 192.168.1.11, 192.168.1.12, 
192.168.1.13). The real servers are using 192.168.1.1 as their default 
gateway.

Under normal LVS-NAT the packet will flow like this

CIP = Client IP (34.56.78.90)
VIP = Virtual Service IP  (12.34.56.78)
RIP = Real Server IP (192.168.1.11)
LIP-INT = LVS IP Address INTERNAL (192.168.1.1)
LIP-EXT = LVS IP Address EXTERNAL (12.34.56.1)
CPORT = Client Port  (Random > 1024)
VPort = Virtual Service port (HTTP:80)
RPort = Real Port (HTTP:80)

Client sends a packet to VIP   (Source=CIP:CPORT, Dest=VIP:VPORT)
The packet enters the LVS box and goes through the LVS-NAT process.
LVS-NAT rewrites Dest to the real server  (Source=CIP:CPORT, 
Dest=RIP:RPORT).  The LVS box routes the re-written packet to the real 
server.

The Real server sends it's response (Source RIP:RPORT, Dest CIP:CPORT)
By default the real server routes it to the LVS box.
The LVS-NAT process re-writes the packet so the source is now the VIP
(Source VIP:VPORT, Dest CIP:CPORT).  The packet goes on its merry way.

From the sounds of it you want to do one more step coming and going 
because you want the packet when it reaches the real server to look like 
(Source=LVS-INT:LVSPORT, Dest:RIP:RPORT).  This can be accomplished (I 
think) by putting some NAT rules on the POSTROUTING table of the 
LVS-INT interface.

Something like 'iptables -v -t NAT -A POSTROUTING -s 0.0.0.0/0 -j MASQ -o 
eth1

Again, I'm not an iptables expert so I don't know the exact syntax.  

Hope this helps

-Matt
> 
> ## Sets up the masq
> iptables -v -t nat -A POSTROUTING -s 100.200.10.0/24
> -j MASQUERADE
> 
> ## Use this for sendmail
> ipvsadm -A -t 100.200.13.26:25 -s wlc
> ipvsadm -a -t 100.200.13.26:25 -r 100.200.10.37:25 -m
> ipvsadm -a -t 100.200.13.26:25 -r 100.200.10.38:25 -m
> 
> I included your email (below) if you need
> to re-read what you wrote to me (this was
> regarding true NAT and rewriting the packet).
> 
> Thanks again,
> Peter
> --- "Matthew S. Crocker" <matthew@xxxxxxxxxxx> wrote:
> > Hrm,  So he wants the source address of the incoming
> > connection to be 
> > re-written to that of your internal address of your
> > LVS server?  I'm not 
> > exactly sure why you would want to do this but it
> > can be done.  It is not 
> > really the job of LVS it would be handled by an
> > iptables rule.
> > 
> > Basically, use LVS-NAT to re-write the destination
> > IP of the packet to 
> > that of the real server IP.  This is done as the
> > packet enters the LVS 
> > router.  Then,  re-write the source IP to that of
> > the LVS internal IP 
> > address.  This is done by iptables as the packet
> > leaves the router.
> > 
> > The desitnation of the returning packet gets
> > re-written as the packet 
> > enters the router on the LVS internal interface. 
> > The source of the return 
> > packet gets re-written by LVS module as it leaves
> > the router on the LVS 
> > external interface.  I'm not sure why you wouldn't
> > want to see the real 
> > source IP at the real servers.
> 
> 
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
> http://mailplus.yahoo.com
> 
> _______________________________________________
> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://www.in-addr.de/mailman/listinfo/lvs-users
> 

-- 
----------------------------------------------------------------------
Matthew S. Crocker 
Vice President / Internet Division         Email: matthew@xxxxxxxxxxx
Crocker Communications                     Phone: (413) 746-2760
PO BOX 710                                 Fax:   (413) 746-3704
Greenfield, MA 01302-0710                  http://www.crocker.com
----------------------------------------------------------------------

<Prev in Thread]	Current Thread	[Next in Thread>
LVS Routing Method Question, pb Re: LVS Routing Method Question, Matthew S. Crocker Re: LVS Routing Method Question, pb Re: LVS Routing Method Question, Matthew S. Crocker Re: LVS Routing Method Question, pb Re: LVS Routing Method Question, Matthew S. Crocker Re: LVS Routing Method Question, Jeremy Kerr Re: LVS Routing Method Question, pb Re: LVS Routing Method Question, Matthew S. Crocker <= udp port support, pb Re: LVS Routing Method Question, Roberto Nibali

Previous by Date:	Re: LVS Routing Method Question, Matthew S. Crocker
Next by Date:	Re: IP tunneling architecture issue, Horms
Previous by Thread:	Re: LVS Routing Method Question, pb
Next by Thread:	udp port support, pb
Indexes:	[Date] [Thread] [Top] [All Lists]