I've spent the last few days reading and re-reading LVS documentation,
doing network traces etc and trying to figure out what is going wrong here.
I am trying to set up a simple 2-network LVS-NAT to a webserver.
So far as I can tell all of my config is by the book.
I've stripped it down to one DIP, one RIP.
In the end there is intended to be two directors with failover so the
config shows the virtual IP of the interior interface of the director
(eth1). This is used as the default route on the realserver.
I'll attach the tcpdumps I've obtained from the RIP, DIP and CIP as well
as my config files. The interfaces file is from the director.
In the case of the /etc/network/interfaces, this is where I've been
setting up the masquerading. Note that I've tried this with and without
iptables masquerading on the director. I've tried various forms of
masquerading, making it tighter or looser (eg so that outgoing port 80
does not get masqueraded or ensuring that the masqueraded connection
appears as from the VIP).
Without masquerading the realserver cannot see the outside world.
Its not clear to me whether or not this aspect of masquerading is
intended to be taken care of by LVS itself. I am guessing not as most of
the LVS-NAT documentation I've found does indicate configuring iptables
rules for masquerading.
With masquerading the realserver can access the outside world just fine.
The symptom is that 'telnet VIP 80' followed by a 'GET /' appears to
produce no content even though the tcpdump appears to show traffic
coming from VIP to CIP.
The same telnet from the director to the RIP does get content.
I've been trying various combinations of configurations; its not
entirely clear whether I need to use any iptables masquerading rules on
the director. I've tried with and without and the results have been the
This appears to be such a simple setup that there has to be something
very basic that I'm missing...
Looking at the cip.dump in wireshark I have to say that it does look
very very odd. I'm can't say that I fully understand it though.
Any advice appreciated.
bcast eth0 # Linux
mcast eth0 22.214.171.124 694 1 0
respawn hacluster /usr/lib/heartbeat/ipfail
apiauth ipfail gid=haclient uid=hacluster
iface lo inet loopback
iface eth0 inet static
iface eth1 inet static
up iptables -t nat -A POSTROUTING -j SNAT -s 192.168.0.0/24 -o eth0
down iptables -t nat -D POSTROUTING -j SNAT -s 192.168.0.0/24 -o eth0