LVS
lvs-users
[Top] [All Lists]
Google
 
Web LinuxVirtualServer.org
<prev [Date] next> <prev [Thread] next>

Re: Port redirection in LVS Localnode

from [Roberto Nibali] [Permanent Link]
To: "LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: Port redirection in LVS Localnode
From: Roberto Nibali <ratz@xxxxxxxxxxxx>
Date: Tue, 20 Jul 2004 07:11:21 +0200 
Good day,

[please try to wrap your overly long lines in your emails next time]


    I have a configuration with only two machines that act both as directors 
and real servers (Localnode)
With a Localnode configuration I alredy heard that you can´t make port redirection/rewrite independently off the forwarding method (DR, TUN or NAT) 

Yes.


    I need port redirection because I want to offer
a Virtual HTTP Service on port 80, and map this service
to two real servers running Tomcat on port 8080 with
an unprivileged account.


Ok.


    Because LVS can´t do redirection, I tried with a
iptables DNAT rule in the PREROUTING CHAIN.

        iptables -t nat -A PREROUTING -p tcp -d VIP --dport 80 \

>                  -j DNAT --to VIP:8080


    This rule functions well for the traffic that is
mapped to the local real server, but the traffic that
goes to the other real server returns with source port
If I understand you correctly, the other RS is a physically different machine, right? 


8080 to client (which causes a Reset of TCP connection
by client) I probed this configuration with LVS/NAT and LVS/DR with forward_shared (source martians) patch. 

You need someone to do a port mapping for you on your back-path ;).


Is it possible to do port redirection in a Localnode environment?


[First idea I had which probably doesn't work]
---------------------
I don't know but what you could try is to add two rules:

[Internet] ----> eth0[director/node1]eth1 -----> eth0[node2]

Two DNAT rules:

iptables -t nat -A PREROUTING -i eth0 -p tcp -d $VIP --dport 80 \
                -j DNAT --to $VIP:8080
iptables -t nat -A POSTROUTING -i eth0 -p tcp -d $CIP -s $RIP \
                 --sport 8080 -j SNAT --to-source $IP_of_eth0:80
---------------------
The "problem" is that netfilter maintains a template table which is used to lookup the n-tuple corresponding to your initial connection attempt which was port-redirected. Of course the source port of the outgoing packet is then not known which gives you little to know option of back mapping the port.
What you could do is have a tcp forwarding tool on a local socket on node2 which redirects traffic to the local socket on port 8080. There are other possibilities, however I'm not sure if I understand your current setup correctly. 

HTH and best regards,
Roberto Nibali, ratz
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: LVS-NAT with public address space, Roberto Nibali
Next by Date:  Fallback Server, Burian Peter (OI&T V)
Previous by Thread:  Port redirection in LVS Localnode, Pablo Ares
Next by Thread:  Port redirection in LVS Localnode, Pablo Ares
Indexes:  [Date] [Thread] [Top] [All Lists]