[lvs-users] IPVS 1.2.1 + Iptables SNAT

To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject: [lvs-users] IPVS 1.2.1 + Iptables SNAT
From: Victor Sartori <victor@xxxxxxxxxxxxxx>
Date: Fri, 18 Mar 2011 17:45:53 -0300
Hi guys,

I'll show my structure, then I post my issue....

The machine LVS-01, receive HTTP connections on port 80 and 443 on IP, and balance between two apaches ( and
The default gateway of this Apache machines is (LVS-01)., is a application machine.

On LVS-01, I do a SNAT iptables rule like this:

iptables -t nat -A POSTROUTING -s -o eth1 -j SNAT --to
iptables -t nat -A POSTROUTING -s -o eth1 -j SNAT --to

I dont forgot of sysctl.conf:
net.ipv4.ip_forward = 1

It works, but, the http conections are very slow, using a sniffer (tcpdump)
i see this:

normal connections

15:27:52.047136 IP > . ack
26191 win 501 <nop,nop,timestamp 6349575 6352061>
15:27:52.058760 IP > F 0:0(0) ack 1
win 1045 <nop,nop,timestamp 6349578 6335481>

a lot of wrong connections (IP of LVS Network to "Intranet Network")

15:28:05.270813 IP > F 0:0(0) ack 1
win 810 <nop,nop,timestamp 6352881 6335731>
15:28:06.045691 IP > F
68963:68963(0) ack 2279 win 81 <nop,nop,timestamp 6355561 6345561>

normal connections again

It is very random.

Things I've done:

Increase the ephemeral ports (on sysctl.conf: net.ipv4.ip_local_port_range =
1024 65535);
Different versions of KeepAlived (now Im using 1.1.19) on CentOS 5.5 and
Debian 5/6 I've used the 1.2.2
Ignore the LVS, putting the apache directly on web, all websites open very

I need recompile the kernel with special options/modules/patches? My
IPTables rule was wrong?


Please read the documentation before posting - it's available at: mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to

<Prev in Thread] Current Thread [Next in Thread>
  • [lvs-users] IPVS 1.2.1 + Iptables SNAT, Victor Sartori <=