Re: [lvs-users] lvs NAT mode - real server to (different) virtual server

To:	"LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject:	Re: [lvs-users] lvs NAT mode - real server to (different) virtual server public IP web requests fail
From:	James H <jeh1965@xxxxxxxxx>
Date:	Mon, 30 Nov 2009 23:38:07 -0800

What if we used routing tables to route all NEW (not related, not
established) outbound connections to the public/VIPs via the
192.168.1.1 gateway (eg: non-LVS net for round-trip access to the
front end of the LVS director), and use iptables to reply to all
RELATED/ESTABLISHED connections on the interface by which they
arrived?

I'm not great at iptables/iproute2, can someone comment on these rules
or tell me if I've missed something:

InternalNet IP: 192.168.1.104
LVS-NAT IP: 192.168.2.104
Network/Default Route: 192.168.2.100 (LVS Director)

ifcfg ip routes:
default table InternalNet via 192.168.1.1
default table main via 192.168.2.100 # implied default route - maybe
don't need this
123.123.123.64/26 via 192.168.1.1 dev eth1 # send public/LVS requests
out the InternalNet gateway to the front end of the LVS directory, let
iptables fixup replies on the correct interface

ifcfg ip rules:
from 192.168.1.104 table InternalNet
from 192.168.2.104 table main #implied rule - maybe don't need this
fwmark 1 lookup InternalNet
fwmark 2 lookup main

iptables:
-A OUTPUT              -m state --state ESTABLISHED,RELATED -j
CONNMARK --restore-mark
-A PREROUTING -d 192.168.1.104  -m state --state NEW -j CONNMARK --set-mark 1
-A PREROUTING -d 192.168.2.104  -m state --state NEW -j CONNMARK --set-mark 2


Does this make sense?

Best,
james

On Fri, Nov 27, 2009 at 4:15 AM, Simon Horman <horms@xxxxxxxxxxxx> wrote:
> Here is my thinking:
>
> 1) The LVS-NATed connections will have the source IP address of
>   the machine that made the request. Though in this case
>   it will be the IP address of 192.168.1.1 in the live range.
> 2) The live range is routed via 192.168.1.1, not the linux-director.
>   So return packets from the real-server will go to the wrong place.

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

<Prev in Thread]	Current Thread	[Next in Thread>
Re: [lvs-users] lvs NAT mode - real server to (different) virtual server public IP web requests fail, James H <= Re: [lvs-users] lvs NAT mode - real server to (different) virtual server public IP web requests fail, James H

Previous by Date:	Re: [lvs-users] DR-mode realserver selection via consistent hashing on request URL?, Josh Adams
Next by Date:	Re: [lvs-users] more realserver ports question - long mail, Kun Richárd
Previous by Thread:	Re: [lvs-users] DR-mode realserver selection via consistent hashing on request URL?, Josh Adams
Next by Thread:	Re: [lvs-users] lvs NAT mode - real server to (different) virtual server public IP web requests fail, James H
Indexes:	[Date] [Thread] [Top] [All Lists]