|
> Hi,
>
>
> I have a strange problem and I can't seem to find clear information on
> how to do this .
>
>
> I have 2 loadbalancer set up keepalived NAT mode with 2 interfaces each
>
>
> internal vip - 192.168.0.199
> external vip - 195.x.x.21
>
> lb1 -master
> bond0 - private - 192.168.0.239
> eth5 - public - 195.x.x.41
>
>
> lb1 -slave
> bond0 - private - 192.168.0.238
> eth5 - public - 195.x.x.42
>
>
>
>
> results of watch -n 0.5 ipvsadm -ln
>
>
> Every 0.5s: ipvsadm
> -ln
> Tue Jun 7 14:15:25 2011
>
> IP Virtual Server version 1.2.1 (size=4096)
> Prot LocalAddress:Port Scheduler Flags
> -> RemoteAddress:Port Forward Weight ActiveConn InActConn
> TCP 192.168.0.198:3306 wrr
> -> 192.168.0.239:4041 Local 1 0 0
> TCP 192.168.0.199:80 rr
> -> 192.168.0.235:80 Masq 1 0 0
> -> 192.168.0.236:80 Masq 1 0 0
> -> 192.168.0.237:80 Masq 1 0 0
> TCP 192.168.0.199:443 rr
> -> 192.168.0.235:443 Masq 1 0 0
> -> 192.168.0.236:443 Masq 1 0 0
> -> 192.168.0.237:443 Masq 1 0 0
>
>
>
>
> i can seem to nat incoming connections from external ip to internal ip.
> i have managed to allow outgoing from cluster to public using
>
>
> iptables -t nat -A POSTROUTING -o eth5 -j MASQUERADE
>
>
> or
>
> iptables -t nat -A POSTROUTING ! -d 192.168.0.1/24 -j SNAT --to
> 195.x.x.21
>
>
>
> I have tried this:
>
> iptables -t nat -A PREROUTING --dst 195.x.x.21 -p tcp --dport 80 -j
> DNAT --to-destination 192.168.0.235
>
> which works but directs traffic to 1 server on in the cluster, but if i
> try the internal vip i get nothing
>
>
> iptables -t nat -A PREROUTING --dst 195.x.x.21 -p tcp --dport 80 -j
> DNAT --to-destination 192.168.0.199
>
>
>
>
> when i test with wget from any lan pc i get following error in syslog
>
> Jun 7 14:11:30 lb1 kernel: [ 6845.854613] ip_rt_bug:
> 217.35.126.204 -> 192.168.0.199, eth5
>
>
> Can anyone help?
>
>
>
>
>
>
>
>
> _______________________________________________
> Please read the documentation before posting - it's available at:
> http://www.linuxvirtualserver.org/
>
> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
I have tried the following
iptables -t nat -A PREROUTING --dst 195.x.x.21 -p tcp --dport 80 -j
LOG --log-level warn --log-prefix "INPUT port80-"
iptables -t nat -A PREROUTING -i eth5 --dst 195.x.x.21 -p tcp --dport
80 -j DNAT --to-destination 192.168.0.199:80
iptables -t nat -A POSTROUTING ! -d 192.168.0.1/24 -j LOG --log-level
warn --log-prefix "OUT port80-"
iptables -t nat -A PREROUTING --dst 195.x.x.21 -p tcp --dport 80 -j
DNAT --to-destination 192.168.0.199:80
and in my /var/log/messages i see the following when trying to acces the
inetrnal vip either through telnetting to public vip or netcat or wget
or in browser
Jun 7 16:04:20 lb1 kernel: [13615.643902] INPUT port80-IN=eth5 OUT=
MAC=60:eb:69:dc:17:ab:ec:c8:82:e4:ee:01:08:00 SRC=217.35.126.204
DST=195.x.x.21 LEN=60 TOS=0x00 PREC=0x00 TTL=53 ID=35908 DF PROTO=TCP
SPT=38764 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0
Jun 7 16:00:44 lb1 kernel: [13399.730256] OUT port80-IN= OUT=eth5
SRC=192.168.0.237 DST=74.201.14.5 LEN=60 TOS=0x00 PREC=0x00 TTL=63
ID=58040 DF PROTO=TCP SPT=35769 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
These are the same messages i get when i use a phisycial server in the
iptables rules such as 192.168.0.237 instead of the vip.
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
|
