Re: ipvs and source nat

To: " users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: ipvs and source nat
From: Dan McCormick <dan@xxxxxxxxxx>
Date: Sun, 24 Sep 2006 21:11:22 -0400
On Sun, 2006-09-24 at 17:30 -0700, Joseph Mack NA3T wrote:
> On Sun, 24 Sep 2006, Dan McCormick wrote:
> > Because my grand plan is to migrate a web site that's already running on
> > a separate director from one set of IPs to another.
> are you migrating the VIPs or the RIPs?

The VIPs.

> > I'd like the web
> > site to be able to respond on both sets of IPs, change the DNS to point
> > to the new set, and not have to worry if the old IPs get cached for days
> > or weeks.  The old IP range is on a 100MBps connection, and the new one
> > is gigabit, and my ISP won't let me comingle them on a single switch.
> > On top of that, all my existing director machines only have two NICs, so
> > I can't plug the old external network, the new external network, and the
> > local network into a single machine.
> I can help you think about this if you like. I don't know 
> what you;re doing though.

Ok, thanks.

> What is the network digram (VIP,DIP, RIP) of the 
> current/future setup, which machines/IPs do you want 
> transferred? You must have both the old and new operating 
> simultaneously?

The network is pretty simple.  I have an existing public IP (VIP #1)
owned by an existing director (DIP #1) hitting a group of eight web
servers.  I'm moving to a second IP (VIP #2) owned by a separate
director (DIP #2) hitting the same group of eight web servers.

Right now, the eight web servers use DIP #1 as their default gateway.
I'd like both the new and old VIPs working simultaneously, so if I want
VIP #2 to work, somehow those same web servers will have to know to send
traffic that comes in through DIP #2 back out through DIP #2.

I'll make up some IPs if that'll make things easier to talk about:

Current setup:
VIP #1:
DIP #1: (eth0 local, eth1 internet)
RIPs: through .27

New setup:
VIP #2:
DIP #2: (eth0 local, eth1 internet)
RIPs: through .27

So my idea was to have DIP #2 re-write packets to the eight web servers
using a source NAT of its IP,

One thing I haven't figured out is: when in the ipvs NAT does iptables
act on the packets?  If I correctly understand the links you sent, they
discuss problems with iptables facing the internet, not the local

In this case, suppose we have a CIP of that hits DIP #2; the
packet gets DNAT'ed by ipvs to RIP  Does the iptables
POSTROUTING chain (where you'd normally apply an SNAT) get applied to
the packet at that point?  I assumed it would, so I tried:

iptables -t nat -D POSTROUTING -o eth0 -j SNAT --to-source

But that doesn't seem to work (looking at tcpdump on the real servers
indicates the packets have a source address of the CIP,, not

Thanks for the help,

<Prev in Thread] Current Thread [Next in Thread>