LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

[lvs-users] Local routing problem with ipvsadm and iptables

To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject: [lvs-users] Local routing problem with ipvsadm and iptables
From: Eric PECHEUR <epecheur@xxxxxxxxx>
Date: Tue, 26 Apr 2011 16:10:56 +0200
Hello,

I try to filter an IP source to destination of VIP1 (192.168.60.95) to
redirect on a VIP2 (192.168.60.96) *on the same server*.
I m using the POSTROUTING and DNAT command in iptables with forward rule but
it does not work !!!

VIP1 is *OK to directly* join *server farm 1* throuth ipvsadm (VIP1).
VIP2 is *OK to directly* join *server farm 2* throuth ipvsadm (VIP2).

My iptables rule realizes a filter to redirect the flow of a source IP (
192.168.100.41) to VIP2 (192.168.60.96)
Tcpdump show the packet in input, but not in OUTPUT.
If I configure an other IP external to the machine (without ipvsadm service)
routing goes well !
*If I configure VIP2 (heartbeat VIP) as destination, **nothing happens !!!*
I do not understand:

Ip forwarding is Ok.

Here is my iptables script:

iptables -X
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD

iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

iptables -t nat -X
iptables -t nat -F
iptables -t nat -P PREROUTING ACCEPT

echo "  + Activation du NAT"
echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -t nat -F PREROUTING
iptables -t nat -A PREROUTING -s 192.168.100.41/32 -d 192.168.60.95 -j
DNAT --to-destination 192.168.60.96

iptables -A FORWARD -p tcp -s 192.168.100.41/32 -d 192.168.60.96/32 -m
state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -j ACCEPT
iptables -A OUTPUT -j ACCEPT



*root@lvs01:/etc# iptables -L -n -v*
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
   36  6093 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
  112  6764 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG_DROP   all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        tcp  --  *      *       0.0.0.0/0
0.0.0.0/0           LOG flags 6 level 4 prefix `FORWARD: '
    0     0 ACCEPT     tcp  --  *      *       192.168.10.41
192.168.60.96
    0     0 ACCEPT     tcp  --  *      *       192.168.10.41
192.168.50.0/24
    0     0 ACCEPT     tcp  --  *      *       192.168.50.0/24
192.168.10.0/24
    0     0 LOG_DROP   all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
   36  6093 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
  130 19350 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG_DROP   all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain LOG_DROP (3 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all  --  *      *       0.0.0.0/0
0.0.0.0/0           LOG flags 0 level 4 prefix `[IPTABLES DROP]:'
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

*
root@lvs01:/etc# ipvsadm -Ln*
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 192.168.60.95:80 wlc
-> 192.168.50.101:80 Masq 1 0 0
-> 192.168.50.102:80 Masq 1 0 0
TCP 192.168.60.96:80 wlc
-> 192.168.50.103:80 Masq 1 0 0



I'm using :
Debian squeeze distrib.name -a Linux 2.6.32-5-amd64
ipvsadm v1.25 2008/5/15 (compiled with popt and IPVS v1.2.1)

Please, I do not understand, thank you for your help !

Breizho
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

<Prev in Thread] Current Thread [Next in Thread>
  • [lvs-users] Local routing problem with ipvsadm and iptables, Eric PECHEUR <=