|
I guess that I did not explain my setup well enough.
In this example, we have three real sendmail servers. We have about 30
private IPs on each real sendmail server (172.16.0.0/24) with 30 instances
of sendmail on each server. So, with three real servers, that's 90 private
IPs total. On the Director, we have 30 public IPs. And, the Director load
balances the SMTP connections to the three real servers. Below is a visual
representation:
On the Director:
$VIP_M_01 --> $RIP_M1_01
$VIP_M_01 --> $RIP_M2_01
$VIP_M_01 --> $RIP_M3_01
$VIP_M_02 --> $RIP_M1_02
$VIP_M_02 --> $RIP_M2_02
$VIP_M_02 --> $RIP_M3_02
Each of our public IPs (VIPs) have a domain name associated with them (e.g.,
mail.domain_name.com). Also, the sendmail configurations on our private IPs
have a domain name associated with them. So, each domain name has one
public IP (on the Director, which is a VIP) and three private IPs (one for
each real server, which are RIPs).
The problem is that the real servers have have to send out their emails over
the correct public IP, otherwise the email will not be RFC compliant (RFC
2822). Again, each of the real servers have 30 private IPs with 30
instances of sendmail and they all have the same default gateway (namely,
the private IP of the Director). So, we have to make sure that when the
packets arrive at the Director, the packets get rewritten so that they go
out the external interface with the correct public IP. This is the reason
that we are running iptables on the Director with the following rules:
$IPT -t nat -A POSTROUTING -s $RIP_M1_01 -o $EXT_INTER -j SNAT --to-source
$VIP_M_01
$IPT -t nat -A POSTROUTING -s $RIP_M2_01 -o $EXT_INTER -j SNAT --to-source
$VIP_M_01
$IPT -t nat -A POSTROUTING -s $RIP_M3_01 -o $EXT_INTER -j SNAT --to-source
$VIP_M_01
The nat rules have the effect of associating certain RIPs (private IPs) with
certain VIPs (public IPs), as in this visual representation.
$RIP_M1_01 --> $VIP_M_01
$RIP_M2_01 --> $VIP_M_01
$RIP_M3_01 --> $VIP_M_01
I hope that this a more adequate explanation.
Our setup is currently working. I was just wondering if there is a better
way to do this.
Actually, now, we are thinking about setting up our configuration a little
differently.
I have read that the ipvs_nfct patch has some short comings. Julian said
that the IPVS packets do not use the same path through the network stack as
other non-IPVS packets and that all out->in traffic passes INPUT (not
FORWARD as in netfilter). So, we are not certain whether or not we can
create a locked-down, bastion host with iptables on the Director, using
ipvs_nfct patch.
So, we are considering installing a firewall (or two firewalls with
heartbeat) and route packets to the LVS-NAT director, as in the following:
66.94.234.13 (firewall) --> 172.16.1.171 (LVS) --> 10.10.1.171 (real server)
This means that we would have to use the nat POSTROUTING chain on both the
LVS Director and on the firewall.
On the LVS-Director:
$IPT -t nat -A POSTROUTING -s $RIP_M1_01 -o $EXT_INTER -j SNAT --to-source
$VIP_M1_01
On the Firewall:
$IPT -t nat -A POSTROUTING -s $VIP_M1_01 -o $EXT_INTER -j SNAT --to-source
$PIP_M_01
Are most running an "FW --> LVS-NAT --> Real Server" configuration in their
production environments? Or is it more popular to attempt to have
stateful-packet filtering on the LVS Director?
Thank you for your feedback.
David Mitchell
From: Joseph Mack NA3T <jmack@xxxxxxxx>
To: "LinuxVirtualServer.org users mailing list."
<lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Date: Thu, 14 Dec 2006 15:55:10 -0800 (PST)
Subject: Re: LVS-NAT with multiple RIP to VIP associations
On Thu, 14 Dec 2006, David M wrote:
Our requirement is that we have to route certain RIP traffic out the same
VIP--we have to have multiple VIPs. This is especially necessary when
using
sendmail as an MTA. Certain Sendmail RIPs must send out packets on a
specific VIP. LVS-NAT does not seem to control RIP to VIP packets.
Why do you say that?
The director doesn't control anything that the realservers
do with their packets for any of the forwarding methods,
including where the RIP sends its packets. You have to
handle that. For LVS NAT you route the packets from the
RIP:service to the LVS-NAT director.
So, we are using IPTABLES to associate a certain RIP with
a certain VIP.
I don't know what this means. Are multiple directors
each with different VIPs feeding the one set of realservers?
What's your setup, on which machines are these rules being
run?
If one director has multiple VIPs, then each VIP is
independant of the other and you shouldn't need any iptables
rules.
Joe
|
