|
Actually, this isn't true. I have a LVS setup with a mix of LVS-NAT
and LVS-DR. All traffic passes through the LVS boxes works just
fine.
did you install Julian's martian modification patch, and set the /proc
filesystem
to allow martians or do have some new way that I don't know about?
I don't think I did anything special,
Here is my setup...
[root@lvsd-2 root]# ipvsadm -L
IP Virtual Server version 1.0.7 (size=65536)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP mail.crocker.com:smtp wlc
-> 192.168.15.31:smtp Masq 100 8 178
-> 192.168.15.33:smtp Masq 100 10 162
-> 192.168.15.32:smtp Masq 100 9 171
-> 192.168.15.34:smtp Masq 100 8 167
TCP mail.crocker.com:pop3 wlc
-> 192.168.15.33:pop3 Masq 100 1 76
-> 192.168.15.34:pop3 Masq 100 2 48
-> 192.168.15.32:pop3 Masq 100 2 57
-> 192.168.15.31:pop3 Masq 100 1 78
TCP mail.crocker.com:http wlc
-> 192.168.15.33:http Masq 100 0 53
TCP mail.crocker.com:imap wlc
-> 192.168.15.34:imap Masq 100 3 4
-> 192.168.15.33:imap Masq 100 4 0
-> 192.168.15.31:imap Masq 100 4 0
TCP mail.crocker.com:imaps wlc
-> 192.168.15.33:imaps Masq 100 0 0
-> 192.168.15.31:imaps Masq 100 0 0
TCP mail.crocker.com:smtps wlc
-> 192.168.15.33:smtps Masq 100 0 0
-> 192.168.15.34:smtps Masq 100 0 0
-> 192.168.15.32:smtps Masq 100 0 0
-> 192.168.15.31:smtps Masq 100 0 0
FWM 1 wlc
-> 192.168.15.42:0 Route 1 5 631
-> 192.168.15.41:0 Route 1 5 632
[root@lvsd-2 root]# iptables -t mangle -L -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
MARK tcp -- 0.0.0.0/0 159.250.20.0/24 tcp dpt:80
MARK set 0x1
MARK tcp -- 0.0.0.0/0 159.250.20.0/24 tcp dpt:443
MARK set 0x1
[root@lvsd-2 root]# iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 192.168.15.0/24 0.0.0.0/0
[root@lvsd-2 root]# less /etc/rc.d/rc.local
#!/bin/bash
/sbin/ip rule add prio 100 fwmark 1 table 100
/sbin/ip route add local 0/0 dev lo table 100
[root@lvsd-2 root]# ip address list
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:03:47:07:3b:28 brd ff:ff:ff:ff:ff:ff
inet 204.97.12.36/24 brd 204.97.12.255 scope global eth0
inet 204.97.12.61/32 scope global eth0
inet 204.97.12.58/32 scope global eth0
inet 204.97.12.57/32 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:10:4b:97:0d:10 brd ff:ff:ff:ff:ff:ff
inet 192.168.15.12/24 brd 192.168.15.255 scope global eth1
inet 192.168.15.1/32 scope global eth1
[root@lvsd-2 root]# ip route list table 100
local default dev lo scope host
-----
My LVS director is on 204.97.12.x and 192.168.15.x
My mail servers are on 192.168.15.x LVS-NAT
My web servers are on 192.168.15.x LVS-DR
My web servers are listening on 159.250.20.x with ip aliases
I have about 30 SSL sites up on the web cluster each one assigned an IP
out of the 159.250.20.x network.
All servers on 192.168.15.x have default gateways to the inside VIP of
the LVS cluster (192.168.15.1)
My web virtual-hosts are on 159.250.20.x
My routers have a route for 159.250.20.x/24 going to the outside VIP of
the LVS cluster (204.97.12.61)
Only TCP packets on port 80 & 443 make it through the LVS server to the
web servers. The entire /24 netblock is load balanced on the same FW
Mark entry
Packets hit the web servers without being natted (source is real client
and desitnation is 159.250.20.x). Web servers reply with packets from
159.250.20.x destination of real client. Packets are not natted going
back through the LVS firewall because the NAT rule only nats packets
with source of 159.250.20.x
The LVS server is a stock Redhat 8.0 kernel with newer LVS modules
installed.
Traffic is directed to the VIP so if an LVS server fails the router
sends them to the backup LVS server.
My cisco config...
Springfield-R1#show config | include 159.250.20
ip route 159.250.20.0 255.255.255.0 204.97.12.61
Works perfectly.
-Matt
Joe
--
Joseph Mack PhD, Senior Systems Engineer, SAIC contractor
to the National Environmental Supercomputer Center,
ph# 919-541-0007, RTP, NC, USA. mailto:mack.joseph@xxxxxxx
| 