Re: [lvs-users] Another newbie question

To:	"LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject:	Re: [lvs-users] Another newbie question
From:	Romain Meillon <r.meillon@xxxxxxxxxxxx>
Date:	Wed, 13 Apr 2011 19:29:47 +0200

All tables are in ACCEPT policy on both IPVS and real server until
i've done a correct configuration.

so, as you adviced, i've done this on the real server (and tried many
differents things) :

iptables -t nat -A PREROUTING -p tcp -d <PUB_IP> -j REDIRECT

ifconfig lo:0 <PUB_IP> netmask 255.255.255.255 broadcast <PUB_IP> up

echo 1 > /proc/sys/net/ipv4/conf/lo/arp_ignore
echo 2 > /proc/sys/net/ipv4/conf/lo/arp_announce
echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore
echo 2 > /proc/sys/net/ipv4/conf/all/arp_announce

This on IPVS

/sbin/ipvsadm -A -t <PUB_IP>:80 -s rr
/sbin/ipvsadm -a -t <PUB_IP>:80 -r 10.254.0.100:80 -g -w 1

/sbin/ipvsadm -A -t <PUB_IP>:25 -s rr
/sbin/ipvsadm -a -t <PUB_IP>:25 -r 10.254.0.100:25 -g -w 1

and to have internet connectivity on the real server through the IPVS
(perhaps i shouldn't? ):
iptables -t nat -A POSTROUTING -s 10.254.0.100/24 -j MASQUERADE

The connection cannot be established from the client, no packet are
back from the IPVS...

Here is the tcpdump on the IPVS, it seems that packets go back to the client ! :

19:14:37.720321 IP <CLIENT_IP>.62096 > <PUB_IP>.25: Flags [S], seq
1997275050, win 8192, options [mss 1460,nop,nop,sackOK], length 0
19:14:37.720684 IP <PUB_IP>.25 > <CLIENT_IP>62096: Flags [S.], seq
677256198, ack 1997275051, win 5840, options [mss
1460,nop,nop,sackOK], length 0
19:14:40.662070 IP <CLIENT_IP>.62096 > <PUB_IP>.25: Flags [S], seq
1997275050, win 8192, options [mss 1460,nop,nop,sackOK], length 0
19:14:40.662590 IP <PUB_IP>.25 > <CLIENT_IP>.62096: Flags [S.], seq
677256198, ack 1997275051, win 5840, options [mss
1460,nop,nop,sackOK], length 0
19:14:41.920066 IP <PUB_IP>.25 > <CLIENT_IP>.62096: Flags [S.], seq
677256198, ack 1997275051, win 5840, options [mss
1460,nop,nop,sackOK], length 0
19:14:46.660307 IP <CLIENT_IP>.62096 > <PUB_IP>.25: Flags [S], seq
1997275050, win 8192, options [mss 1460,nop,nop,sackOK], length 0
19:14:46.660866 IP <PUB_IP>.25 > <CLIENT_IP>.62096: Flags [S.], seq
677256198, ack 1997275051, win 5840, options [mss
1460,nop,nop,sackOK], length 0

and the real server one :

19:14:37.274053 IP <CLIENT_IP>.62096 > <PUB_IP>.25: S
1997275050:1997275050(0) win 8192 <mss 1460,nop,nop,sackOK>
19:14:37.274117 IP <PUB_IP>.25 > <CLIENT_IP>.62096: S
677256198:677256198(0) ack 1997275051 win 5840 <mss
1460,nop,nop,sackOK>
19:14:40.215794 IP <CLIENT_IP>.62096 > <PUB_IP>.25: S
1997275050:1997275050(0) win 8192 <mss 1460,nop,nop,sackOK>
19:14:40.215851 IP <PUB_IP>.25 > <CLIENT_IP>.62096: S
677256198:677256198(0) ack 1997275051 win 5840 <mss
1460,nop,nop,sackOK>
19:14:41.473203 IP <PUB_IP>.25 > <CLIENT_IP>.62096: S
677256198:677256198(0) ack 1997275051 win 5840 <mss
1460,nop,nop,sackOK>
19:14:46.213836 IP <CLIENT_IP>.62096 > <PUB_IP>.25: S
1997275050:1997275050(0) win 8192 <mss 1460,nop,nop,sackOK>

Thanks a lot for your patience !

-- 
Romain

2011/4/13 David Coulson <david@xxxxxxxxxxxxxxxx>:
>
>
> On 4/13/11 11:43 AM, Romain Meillon wrote:
>>
>> When the real server anwers to the client through the IPVS, the packet
>> is 'un-NATed' and arrives to the client with the public IP as source.
>
> Yep
>>
>> If i use direct routing, the IPVS redirects the packet without NAT so
>> the services need to listen on the public IP, on the real server ?
>>
> Correct. You need to configure the virtual server IP on the real server,
> often as a /32 on the loopback. You also need to do some ARP magic to make
> it work properly.
>>
>> Real server tcpdump in gate mode :
>>
>> 17:30:25.934418 IP<CLIENT_IP>.60719>  <PUB_IP>.25: S
>> 1495274318:1495274318(0) win 8192<mss 1460,nop,nop,sackOK>
>> 17:30:25.934423 IP<CLIENT_IP>.60719>  <PUB_IP>.25: S
>> 1495274318:1495274318(0) win 8192<mss 1460,nop,nop,sackOK>
>> 17:30:25.934467 IP<CLIENT_IP>.60719>  <PUB_IP>.25: S
>> 1495274318:1495274318(0) win 8192<mss 1460,nop,nop,sackOK>
>> 17:30:25.934471 IP<CLIENT_IP>.60719>  <PUB_IP>.25: S
>> 1495274318:1495274318(0) win 8192<mss 1460,nop,nop,sackOK>
>> 17:30:25.934516 IP<CLIENT_IP>.60719>  <PUB_IP>.25: S
>> 1495274318:1495274318(0) win 8192<mss 1460,nop,nop,sackOK>
>> 17:30:25.934538 IP 10.254.0.100>  <CLIENT_IP>: ICMP time exceeded
>> in-transit, length 56
>>
>> No service listening on this IP, no connection established, normal.
>
> Do you have a firewall rule in place blocking this? If nothing is listening,
> I'd at least expect a TCP RST to go back to the client.
>
> David

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

<Prev in Thread]	Current Thread	[Next in Thread>
[lvs-users] Another newbie question, Romain Meillon Re: [lvs-users] Another newbie question, David Coulson Re: [lvs-users] Another newbie question, Romain Meillon Re: [lvs-users] Another newbie question, David Coulson Re: [lvs-users] Another newbie question, Romain Meillon <= Re: [lvs-users] Another newbie question, David Coulson Re: [lvs-users] Another newbie question, Romain Meillon Re: [lvs-users] Another newbie question, Julian Anastasov Re: [lvs-users] Another newbie question, Romain Meillon Re: [lvs-users] Another newbie question, Julian Anastasov Re: [lvs-users] Another newbie question, Romain Meillon Re: [lvs-users] Another newbie question, Romain Meillon [lvs-users] Looking for Keepalived VRRP VMAC beta testers, Alexandre Cassen

Previous by Date:	Re: [lvs-users] Another newbie question, David Coulson
Next by Date:	Re: [lvs-users] Another newbie question, David Coulson
Previous by Thread:	Re: [lvs-users] Another newbie question, David Coulson
Next by Thread:	Re: [lvs-users] Another newbie question, David Coulson
Indexes:	[Date] [Thread] [Top] [All Lists]