LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

[lvs-users] IPVS - Nat Issue

To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject: [lvs-users] IPVS - Nat Issue
From: dasher <dasher@xxxxxxxxxxxxxxxxxxxxxx>
Date: Fri, 20 Nov 2009 16:00:29 +0100
Hi,

I'm having an issue currently with a setup - and it's probably something
simple that I've missed and not being able to see the wood from the
trees - I'd appreciate any insight about what I've missed.

Issue:
The client connects to the VIP, IPVS picks up the connection on the
public interface(eth0) and shoves it out private interface(eth1) ok but
the packet  doesn't reach the realserver (according to tcpdump running
on the realserver).

My best guess is that it's a NAT issue where ipvs isn't rewriting the
source address before it leaves eth1.  I'm able to connect from the
director to the realserver and retrieve some content from the service
running on the realserver (lynx 10.177.41.57:80).

The full details of the setup are a little later in this mail - the only
service currently is http(80) but the output from tcpdump on the
director is:

tcpdump -ln port 80 -i any
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 96
bytes
14:22:06.527112 IP 95.17.61.77.51254 > 174.143.146.6.80: Flags [S], seq
114523396, win 5840, options [mss 1452,sackOK,TS val 9033472 ecr
0,nop,wscale 7], length 0
14:22:06.527112 IP 95.17.61.77.51254 > 10.177.41.57.80: Flags [S], seq
114523396, win 5840, options [mss 1452,sackOK,TS val 9033472 ecr
0,nop,wscale 7], length 0


Note:
I've verified the above by having 2 sessions open and specifying the
exact interface with tcpdump -ln port 80 -i eth0 and tcpdump -ln port 80
-i eth1. 


Setup Details:

The setup is very simple using LVS-NAT:

[client]
   |
{internet} 
   |
[VIP:174.143.146.6](eth0)Director(eth1)[DIP:10.177.41.56]
   |
{Private Lan: DRIP:10.177.41.0/24}
   |
[RIP:10.177.41.56](eth1)Realserver


Config Details:

General:
All machines are base ubuntu 9.10 install - and come with the ipvs
modules.  ipvsadm was installed using aptitude.
No extra patches or downloads have been applied to ipvs (which might be
the problem).

The servers are vm's running in a hosted environment.


Details & command outputs:

(director) IPVSAdm -L -n
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
  -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
TCP  174.143.146.6:80 rr
  -> 10.177.41.57:80              Masq    1      0          0  

(all servers are the same)Ubuntu 9.10:uname -a
Linux ipvs 2.6.31-302-rs #7 SMP [date] x86_64 GNU/Linux


(director & realserver) IPTables is empty - as far as I understand no
rules are needed for ipvs-nat by default.

(director) iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination  

(director) iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination  


(director) sysctl -p
net.ipv4.ip_forward = 1

(realserver) sysctl -p
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.eth0.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2
net.ipv4.conf.eth0.arp_announce = 2

(realserver) The default route is set to be the director DIP



_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

<Prev in Thread] Current Thread [Next in Thread>