LVS
lvs-users
[Top] [All Lists]
Google
 
Web LinuxVirtualServer.org
<prev [Date] next> <prev [Thread] next>

Ipvsadm and netfilter

from [Luc DUMAINE] [Permanent Link]
To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject: Ipvsadm and netfilter
From: Luc DUMAINE <ldumaine@xxxxxxxx>
Date: Sun, 15 Aug 2004 23:01:57 +0200 (CEST) 
Hi,

I try to use ipvsadm with stock linux 2.6.7, in combination with iptables,
and there is something i do not understand.

IPVS-NAT is used, as the real servers are on non-routed DMZ networks
behind the redirector.

According to LVS how-to, chapter 17.2, the path of an incoming packet
should be:

PREROUTING -> LOCAL_IN -> POSTROUTING

But from what I can see, the path is more like

PREROUTING -> LOCAL_IN -> LOCAL_OUT -> POSTROUTING

The context;

The director is connected on the LAN, 10.64.0.0/24, on its eth1 interface.

Behind it, the real servers are on 192.168.76.2 on a 802.1q tagged
vlan 3 and connected to the redirector on its eth0.3 interface.

10.64.0.16 is configured as an alias on the eth1 interface of the
redirector, and the ssh port of this address is redirected to the ssh port
of 192.168.76.2:

Ipvsadm rules:
-A -t 10.64.0.16:ssh -s rr
-a -t 10.64.0.16:ssh -r 192.168.76.2:ssh -m -w 1

Iptables rules:

Default policy fro all chains: ACCEPT

-A INPUT -d 10.64.0.16 -i eth1 -j LOG --log-prefix "INPUT ipvsadm
" --log-level 6 
-A OUTPUT -o eth0.+ -j LOG --log-prefix "OUTPUT ipvsadm
" --log-level 6 

If from the 10.64.0.0/24 lan I ssh to 10.64.0.16 packets go through the
OUTPUT chain as you can see in my log:

OUTPUT ipvsadm IN= OUT=eth0.3 SRC=10.64.0.81 DST=192.168.76.2 LEN=60
TOS=0x00 PREC=0x00 TTL=64 ID=3850 DF PROTO=TCP SPT=49851 DPT=22
WINDOW=5840 RES=0x00 SYN URGP=0 

OUTPUT ipvsadm IN= OUT=eth0.3 SRC=10.64.0.81 DST=192.168.76.2 LEN=52
TOS=0x00 PREC=0x00 TTL=64 ID=3851 DF PROTO=TCP SPT=49851 DPT=22
WINDOW=5840 RES=0x00 ACK URGP=0 

OUTPUT ipvsadm IN= OUT=eth0.3 SRC=10.64.0.81 DST=192.168.76.2 LEN=52
TOS=0x00 PREC=0x00 TTL=64 ID=3852 DF PROTO=TCP SPT=49851 DPT=22
WINDOW=5840 RES=0x00 ACK URGP=0 

etc..

And nothing seems to pass through the INPUT chain ?

If I connect from another lan not directly connected to the director,
the packets go through INPUT and OUTPUT.

INPUT ipvsadm IN=eth1 OUT= MAC=00:0a:5e:3d:82:0f:00:e0:1e:7f:98:61:08:00
SRC=A.B.C.D DST=10.64.0.16 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=55012
DF PROTO=TCP SPT=49852 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 

OUTPUT ipvsadm IN= OUT=eth0.3 SRC=A.B.C.D DST=192.168.76.2 LEN=60
TOS=0x00 PREC=0x00 TTL=63 ID=55012 DF PROTO=TCP SPT=49852 DPT=22
WINDOW=5840 RES=0x00 SYN URGP=0 

INPUT ipvsadm IN=eth1 OUT= MAC=00:0a:5e:3d:82:0f:00:e0:1e:7f:98:61:08:00
SRC=200.9.208.76 DST=A.B.C.D LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=55013
DF PROTO=TCP SPT=49852 DPT=22 WINDOW=5840 RES=0x00 ACK URGP=0 

OUTPUT ipvsadm IN= OUT=eth0.3 SRC=A.B.C.D DST=192.168.76.2 LEN=52
TOS=0x00 PREC=0x00 TTL=63 ID=55013 DF PROTO=TCP SPT=49852 DPT=22
WINDOW=5840 RES=0x00 ACK URGP=0 

Regards, Luc.
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • Ipvsadm and netfilter, Luc DUMAINE <=
Previous by Date:  RE: Ultra Monkey + RedHat 7.3, Peter Mueller
Next by Date:  vrrp flip-flap and expire_nodest_conn problems related, Francois JEANMOUGIN
Previous by Thread:  Ultra Monkey + RedHat 7.3, Gary James
Next by Thread:  vrrp flip-flap and expire_nodest_conn problems related, Francois JEANMOUGIN
Indexes:  [Date] [Thread] [Top] [All Lists]