using FWMarks behind a nat firewall problem

[Chip Upsal <cupsal@xxxxxxxxxxxxx>]

I have my loadbalancers behind an iptables firewall doing NAT

I am using firewall marks to route packets to the websites.

Problem all worked well with one site. All worked well with one site LIVE
(real nat ipaddress) and one site not live (only having a DMZ IP Address).
When the second site went live both sites started fowling up. Some of the
immages templates for website A would show up on website B and visa versa.
Is too much natting going on. Does the FWMarks not handle NATTed packets
from another firewall well?


setup:

                                               WAN (216.x.x.x)
                                                |
                                                |
                                           IPTABLES FW
----------LAN(192.168.1.x)
                                                |
                                                |
                                               DMZ(192.168.0.x)
                                                |
                                                |
                                           LoadBalancer
                                             |       |
                                             |       |
                         (192.168.2.101)webserver1
webserver2(192.168.2.102)



iptables script:


/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp

/sbin/modprobe ipt_MASQUERADE

echo "1" > /proc/sys/net/ipv4/ip_forward


$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT


# Define Networks and Host

LVS_FLOAT_IP="192.168.2.1"
LAN_FLOAT_IP="192.168.1.10"

####################################################################
# websites
####################################################################

# site 1
DMZ_SITE1_IP="192.168.0.19"

# site 2
DMZ_SITE2_IP="192.168.0.24"

###########################################################################
# LVS RULES
###########################################################################
$IPTABLES -t nat -A POSTROUTING -j MASQUERADE -s 192.168.2.0/24


############################################################################
#
# website Mark Rules
############################################################################
#

# Site1
$IPTABLES -t mangle -A PREROUTING -d $DMZ_SITE1_IP -j MARK --set-mark 1

# Site2
$IPTABLES -t mangle -A PREROUTING -d $DMZ_SITE2_IP -j MARK --set-mark 2


ldirectord.cf:

# Global Directives
checktimeout=10
checkinterval=2
#fallback=127.0.0.1:80
autoreload=yes
#logfile="/var/log/ldirectord.log"
quiescent=no


# Note: persistancy needs to be turned on if FTP traffic is to handled
#       using LVS-DR (gate) or LVS-TUN (ipip). This is not neccessary
#       or LVS-NAT (masq).

# Site1
virtual=1
        real=192.168.2.24:0 masq
        real=192.168.2.124:0 masq
        service=http
        checkport=80
        checktype=negotiate
        request="lvs.html"
        receive="server-up"
        scheduler=lc
        scheduler=lc
        persistent=3600

# Site2
virtual=2
        real=192.168.2.19:0 masq
        real=192.168.2.119:0 masq
        service=http
        checkport=80
        checktype=negotiate
        request="lvs.html"
        receive="server-up"
        scheduler=lc
        persistent=3600
"ldirectord.cf" 62L, 2191C



                       










Chip Upsal
SysAdmin
CyberWolf Inc
505.983.6463 x28
http://www.cyberwolf.com