LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: Packets aren't returning to host

To: "LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: Packets aren't returning to host
From: Marc Tardif <mtardif@xxxxxxxxxxx>
Date: Mon, 25 Aug 2003 10:39:30 -0400
Horms wrote:
On Sun, Aug 24, 2003 at 04:20:19PM -0400, Marc Tardif wrote:

linux kernel 2.4.21
ipvs and ipvsadm installed from ipvs 1.0.10 tarball

I can get ip_vs to redirect incoming packets on port 80 to an internal box, but I can't seem to return these packets to the calling host. Here's my network setup:

 external        gateway        internal
 --------        -------        --------
 192.168.0.68 -> 192.168.0.2
                 10.9.201.2  -> 10.9.201.225

The gateway has the following interfaces and filtering configuration (command outputs have been shortened):

 # ifconfig
 eth0 inet addr:10.9.201.2  Bcast:10.9.201.255  Mask:255.255.255.0
 eth1 inet addr:192.168.0.2  Bcast:192.168.0.255  Mask:255.255.255.0
 # ipvsadm -L
 TCP  192.168.0.2:http wlc
   -> 10.9.201.225:http     Masq    1      0          0
 # ipchains -L
 Chain forward (policy ACCEPT):
 target     prot opt     source                destination
 MASQ       all  ----l-  10.9.201.0/24        anywhere


The internal box has the gateway configured as a default gateway:

 # netstat -rn
 Kernel IP routing table
 Destination     Gateway         Genmask         Flags  Iface
 10.9.201.0      0.0.0.0         255.255.255.0   U       eth0
 192.168.0.0     10.9.201.2      255.255.255.0   UG      eth0


This is the tcpdump on the gateway generated by the external box attempting to telnet to port 80 of the gateway:

15:34:21.737622 192.168.0.68.1071 > 10.9.201.225.http: S 855275531:855275531(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) 15:34:21.737927 10.9.201.225.http > 192.168.0.68.1071: S 4039057286:4039057286(0) ack 855275532 win 5840 <mss 1460,nop,nop,sackOK> (DF) 15:34:24.651755 192.168.0.68.1071 > 10.9.201.225.http: S 855275531:855275531(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) 15:34:24.652003 10.9.201.225.http > 192.168.0.68.1071: S 4039057286:4039057286(0) ack 855275532 win 5840 <mss 1460,nop,nop,sackOK> (DF) 15:34:24.728277 10.9.201.225.http > 192.168.0.68.1071: S 4039057286:4039057286(0) ack 855275532 win 5840 <mss 1460,nop,nop,sackOK> (DF)


Hi,

I take it that this tcpdump was taken on the internal interface
of the linux director (gateway). If so it looks like the packet
from the real server (external box) is being correctly sent to
the real server (internal box) and that the real server is in
turn replying correctly, It also seems that the Linux Director is
seeing the return packet, though without examining the MAC address
it is hard to confirm that it has been sent to the Linux Director.

I would suspect that the problem is that that the Linux Director
is not demasquerading and forwarding the return packets. Can you
confirm that the routing on the Linux Director is correct,
that probablyu means 10.9.201/24 being routed to the internal
interface and 0/0 or at least 192.168.0/24 being routed to the external interface.

Here's a tcpdump on the external interface of the Linux Director:

10:07:51.140679 192.168.0.68.1084 > 192.168.0.2.http: S 352642595:352642595(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) 10:07:54.066679 192.168.0.68.1084 > 192.168.0.2.http: S 352642595:352642595(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)

That means the external box keeps trying to establish an http connection but is never receiving a response. Therefore, you are right that the Linux Director is not forwarding the return packets. You've asked me to confirm the routing information but I'm not sure what to show you other than the ipchains configuration in my original message. Just in case it's relevant, here's my routing table on the Linux Director:

  # netstat -rn
  Kernel IP routing table
  Destination    Gateway       Genmask         Flags  Iface
  10.9.201.0     0.0.0.0       255.255.255.0   U      eth0
  192.168.0.0    0.0.0.0       255.255.255.0   U      eth1
  127.0.0.0      0.0.0.0       255.0.0.0       U      lo
  0.0.0.0        10.9.201.7    0.0.0.0         UG     eth0

Running tcpdump on the external interface of the Linux Director
may shed some more light onto this problem.


Problem is, the external box hangs on the telnet and never seems to get a response via the gateway. Maybe the problem is that it's expecting an answer from 192.168.0.2 whereas the tcpdump is showing a packet arriving from 10.9.201.225. Can someone point me in the right direction? I've followed the exact installation instructions on the virtual server website:
http://www.linuxvirtualserver.org/VS-NAT.html

More explicitly, I've run the following commands:

 # echo 1 > /proc/sys/net/ipv4/ip_forward
 # ipchains -l -A forward -j MASQ -s 10.9.201.0/24 -d 0.0.0.0/0
 # ipvsadm -A -t 192.168.0.2:80 -s wlc
 # ipvsadm -a -t 192.168.0.2:80 -r 10.9.201.225:80 -m



--
Marc Tardif
Sitepak
(514) 866-8883

<Prev in Thread] Current Thread [Next in Thread>