LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: [lvs-users] Help with LVS NAT and RHEL5.8

To: "LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: [lvs-users] Help with LVS NAT and RHEL5.8
Cc: "Liu, William" <wliu@xxxxxxx>
From: Malcolm Turnbull <malcolm@xxxxxxxxxxxxxxxx>
Date: Thu, 26 Jul 2012 18:43:41 +0100
Liu,

Yes, David is right it is working as expected Full-NAT i.e. source IP
transparent.
If you want the real servers/backend servers to have Internet access
as well then you will need an iptables masquerade rule or something
similar for the outgoing traffic.

LVS Half-Nat or SNAT is in mainline kernel, the old way of patching is
described here:
http://blog.loadbalancer.org/enabling-snat-in-lvs-xt_ipvs-and-iptables/

But to be honest if you want SNAT/proxy you'd be better off using
HAProxy which is well tested for that purpose...




On 26 July 2012 18:23, David Coulson <david@xxxxxxxxxxxxxxxx> wrote:
>
>
> On 7/26/12 12:40 PM, Liu, William wrote:
> > Hi,
> >
> > I am a problem with LVS NAT configuration where the packets do not look 
> > like they are being masqueraded by LVS.   Here's my setup:
> >
> > LVS server has 3 interfaces: primary, nat_router, virtual IP
> > 172.5.111.74 -primary
> > 172.25.117.4 - nat router
> > 172.25.117.5 - virtual IP, port 80
> >                  |---- 172.28.12.56 (Real server)
> >
> > A client (172.25.111.8) connects to 172.25.117.5 on port 80 never gets a 
> > response back.  What I see on Real sever (172.28.12.56) on tcpdump is :
> > 16:35:08.103968 IP 172.25.111.8.34271 > 172.28.12.56.http: S 
> > 1718115488:1718115488(0) win 5840 <mss 1460,sackOK,timestamp 500867550 
> > 0,nop,wscale 7>
> >
> > This shows source IP of the client and NOT from LVS.  I presume in NAT 
> > mode, the source IP should be of the "nat router?"  From my understanding 
> > LVS should have done the header masquerading?  I shouldn't have to use 
> > IPtables?  Please let me know what I have to do for this function to work?
>
> There is a SNAT patch for LVS out on the Internet somewhere, but it is
> not supported by RedHat. With RHEL, none of the three (DR,NAT, TUN)
> mechanisms modify the source IP of the packets.
>
> If you use LVS-NAT, you need to make sure the real server routes the
> packet back through the LVS director so the 'un-NAT' can happen
> correctly before the request goes back to the client.
>
> David
>
>
> _______________________________________________
> Please read the documentation before posting - it's available at:
> http://www.linuxvirtualserver.org/
>
> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://lists.graemef.net/mailman/listinfo/lvs-users




--
Regards,

Malcolm Turnbull.

Loadbalancer.org Ltd.
Phone: +44 (0)870 443 8779
http://www.loadbalancer.org/

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

<Prev in Thread] Current Thread [Next in Thread>