|
Hi,
It can be done on LVS-NAT. I had to turn off my blog for a short while
but it will be back up soon. Here's the google cached page:
http://webcache.googleusercontent.com/search?q=cache:a56hmlO2YpoJ:mobiuscircle.com/+mobius+circle+lvs&cd=1&hl=en&ct=clnk&gl=us
My work is largely inspired by Jonathan and Karen’s blog post here:
http://developingrapids.blogspot.com/2006/05/conning-mark-multiwan-connections.html
Long story short:
- use your management/ssh network as the default route, use your
normal default gateway, NOT the director (contrary to the standard
docs)
- use IPTables and FWMarks to tag packets, and reply via the
appropriate route based on the inbound connection route
Method:
The assumption is that you have 2 internal VLANs, one for “management”
traffic and one for LVS traffic. I’ll call those:
InternalNet 192.168.1.x
LVSNet 192.168.2.x
The LVS director is 192.168.2.100
Steps:
On realservers:
- Use your normal default gateway for your network, NOT the LVS
Director, eg: 192.168.1.1
- Use mangle table prerouting firewall marks to mark any LVS traffic to fwmark 2
- Use mangle table prerouting firewall marks to mark any non-LVS
traffic to fwmark 1 (may be redundant)
- Use ip rules to direct any traffic received with fwmark 2 via the
LVSNet table (192.168.2.100 gateway)
- Use ip rules to direct any traffic received on 192.168.2.x via the
LVSNet table (192.168.2.100 gateway - may be redundant)
- Use ip rules to direct any traffic received with fwmark 1 via the
InternalNet table (192.168.1.1 gateway - may be redundant to the
default route)
- Use ip rules to direct any traffic received on 192.168.1.x via the
InternalNet table (192.168.1.1 gateway - may be redundant)
Detailed Steps:
Configuration:
===========
1) Add two tables to your /etc/iproute2/rt_tables
200 InternalNet
201 LVSNet
2) Set your default gateway to 192.168.1.1 (/etc/sysconfig/network)
GATEWAY=192.168.1.1
3) In your iptables mangle table (for real server 192.168.1.112), add
the following. In different realservers, replace the IP address
192.168.1.112 with that of the current real server:
-A PREROUTING -j CONNMARK –restore-mark
-A PREROUTING -m mark –mark 0×1 -j ACCEPT
-A PREROUTING -d 192.168.1.112 -j MARK –set-mark 0×1
-A PREROUTING -m mark –mark 0×2 -j ACCEPT
-A PREROUTING -d 192.168.2.112 -j MARK –set-mark 0×2
-A PREROUTING -j CONNMARK –save-mark
4) Setup IP routes and rules (for each real server you change the IP
address in the rules below to that of the real server IPs)
routes: /etc/sysconfig/network-
scripts/route-eth1:
default table InternalNet via 192.168.1.1
default table LVSNet via 192.168.2.100
rules: /etc/sysconfig/network-scripts/rule-eth1
from 192.168.1.112 table InternalNet
from 192.168.2.112 table LVSNet
fwmark 1 lookup InternalNet
fwmark 2 lookup LVSNet
—— DONE —-
Net result is that LVS-NAT based inbound connections route back out
through the LVS Director appropriately, even though your default
gateway is on 192.168.1.1. All other real server requests route
through your normal LAN default gateway. If that outbound request is
to one of your LVS VIPs (real server as client), the connection goes
via your normal LAN to the front end of the LVS director, and the
reply comes back the same path.
Cheers,
James
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
|
