LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Iptables port redirection and LVS

To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject: Iptables port redirection and LVS
From: Donald J Giuliano <guido@xxxxxxxxxxxxxxxxxxxxx>
Date: Tue, 21 Dec 2004 22:29:36 +0000
Hello,

I'm in the process of configuring a machine as both a firewall and 
LVS-NAT server.  Everything is working fine except for the port 
redirection I set up with the following rules in iptables:

iptables -t nat -A PREROUTING -s 0/0 -d $VIRTUAL_IP -m tcp -p tcp \
       --dport $EXTERNAL_PORT -j DNAT \
       --to-destination $VIRTUAL_IP:$INTERNAL_PORT

iptables -t nat -A POSTROUTING -p tcp -s $VIRTUAL_IP \
       --sport $INTERNAL_PORT -j SNAT \
       --to-source $VIRTUAL_IP:$EXTERNAL_PORT

When I run tcpdump on the client attempting to connect to the 
server, it yields the following:

22:16:31.672703 IP $CLIENT_IP.33375 > $VIRTUAL_IP.www: S
3096333460:3096333460(0) win 5840 <mss 1460,sackOK,timestamp 9811697[|
tcp]>
22:16:31.673348 IP $VIRTUAL_IP.$INTERNAL_PORT > $CLIENT_IP.33375: S
3250164620:3250164620(0) ack 3096333461 win 5792 <mss
1460,sackOK,timestamp 112700343[|tcp]>
22:16:31.673415 IP $CLIENT_IP.33375 > $VIRTUAL_IP.$INTERNAL_PORT: R
3096333461:3096333461(0) win 0

This shows that the replies from the real-servers are making their way 
through the firewall and back to the client OK, but the NAT rules in 
the POSTROUTING chain are not being applied.  Furthermore, adding in 
a logging rule as the first one in the nat POSTROUTING chain shows that 
none of the packets are reaching that table, whereas a similar one in 
the mangle POSTROUTING chain show they are being sent through that 
table just fine.  Thus is appears that IPVS is allowing the packets to 
get through the mangle table, but grabbing them before they can go 
through the POSTROUTING chain on the nat table.  At first I thought 
this could be an issue with connection tracking, but a quick check 
showed that /proc/sys/net/ipv4/vs/conntrack file created by the nfct 
patch indeed had a '1' in it.  I've also played around with the 
boolean value in /proc/sys/net/ipv4/vs/snat_reroute as I'm not sure 
what its function is; however, this had no apparent effect.

I'm pretty much at my wit's end regarding this issue, particularly 
since this problem was resolved in an earlier thread 
(http://archive.linuxvirtualserver.org/html/lvs-users/2004-07/msg00129.html) 
with the same solution I employed.  Does anyone have any idea what I'm 
missing here?  I can provide further detail if that would be helpful.

Thanks in advance,

--Don Giuliano


<Prev in Thread] Current Thread [Next in Thread>
  • Iptables port redirection and LVS, Donald J Giuliano <=