Screwy forwarding

["David D.W. Downey" <qixo@xxxxxxxxxxxxxx>]

Evening folks,

                    I've got a few problems here that I just can not figure out.

 

My set up is as follows. I have UltraMonkey (ultramonkey.sourceforge.net) installed. I have the IPs rolling over correctly. (the IPs for the fkae server and the NAT device) I'm using a serial null modem connection to get that running correctly. The problem that I have is on the load balancing.

 

I have any requests coming in on the fake IP on the internet side sending every single request to the same machine. I have 3 total machines listed and only one being hit.

 

My setup is as follows...

 

ha.cf

=====

 

serial  /dev/ttyS0
baud    19200
udpport 694
udp eth0
udp eth1
watchdog /dev/watchdog
nice_failback off
debugfile /var/log/ha-debug
logfile /var/log/ha-log
logfacility     local0
node    vs-00.qixo.org
node    vs-01.qixo.org

 

 

haresources

===========

 

vs-00.qixo.org IPaddr::216.200.192.111/24/eth0 IPaddr::192.168.1.254/24/eth1 ldirectord::ldirectord.cf

 

 

ldirectord.cf

============

timeout=3
checkinterval=1
fallback=127.0.0.1:80
virtual=216.200.192.111:80
        real=192.168.1.12:80 masq
        real=192.168.1.10:80 masq
        real=192.168.1.11:80 masq
        service=http
        request="index.htm"
        receive="QIXO"
        scheduler=rr
        #persistent=600
        protocol=tcp

 

(NOTE: Bear in mind that "fallback" is not running HTTP, I just filled it in so it would quit bitching.)

 

 

ipchains + ipmasqadm

=================

 

ipchains -A forward -s 192.168.1.0/24 -j MASQ

ipchains -A input -j ACCEPT -i eth1
ipchains -A output -j ACCEPT -i eth1
ipchains -A input -j ACCEPT -p tcp -d 216.200.192.111 www
ipchains -A input -j ACCEPT -p tcp -d 216.200.192.111 domain
ipchains -A input -j ACCEPT -p udp -d 216.200.192.111 domain
ipchains -A input -j ACCEPT -p tcp -d 216.200.192.111 ssh
ipchains -A input -j ACCEPT -p tcp -d 216.200.192.111 ssh
ipchains -A input -j ACCEPT -p tcp -d 216.200.192.111 telnet

 

ipchains -A forward -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT
ipchains -A forward -s 216.200.192.0/24 -d 192.168.1.0/24 -j ACCEPT
ipchains -M -S 7200 10 160
ipchains -I input -p tcp -y -d 192.168.1.0/32 80 -m 1
ipmasqadm mfw -I -m 3 -r 192.168.1.12 80 -p 10
ipmasqadm mfw -I -m 2 -r 192.168.1.11 80 -p 10
ipmasqadm mfw -I -m 1 -r 192.168.1.10 80 -p 10

ipmasqadm autofw -A -r tcp 80 80 -h 192.168.1.12
ipmasqadm autofw -A -r tcp 80 80 -h 192.168.1.11
ipmasqadm autofw -A -r tcp 80 80 -h 192.168.1.10
ipvsadm -A -t 216.200.192.111:80 -s rr
ipvsadm -a -t 216.200.192.111:80 -r 192.168.1.12 -m
ipvsadm -a -t 216.200.192.111:80 -r 192.168.1.11 -m
ipvsadm -a -t 216.200.192.111:80 -r 192.168.1.10 -m

 

Output of ipmasqadm mfw -L

=====================

 

[root@vs-00 /root]# ipmasqadm mfw -L
fwmark   rediraddr               rport  pcnt  pref
1        ws-00.qixo.org            www    10    10
2        ws-01.qixo.org            www    10    10
3        ws-02.qixo.org            www    10    10
[root@vs-00 /root]#

 

Output of netstat -M -l

=================

 

[root@vs-00 /root]# netstat -M -l
IP masquerading entries
prot   expire source               destination          ports
tcp 111:40.42 ws-02.qixo.org       206.86.181.54        2495 -> 6000 (62319)
tcp 119:04.31 ws-02.qixo.org       206.86.181.54        2498 -> 6000 (62322)
tcp 111:40.50 ws-02.qixo.org       206.86.181.54        2499 -> 6000 (62323)
tcp 111:40.64 ws-02.qixo.org       206.86.181.54        2500 -> 6000 (62324)
[root@vs-00 /root]#

 

 

Output of ipchains -M -L

==================

 

[root@vs-00 /root]# ipchains -M -L
IP masquerading entries
prot expire   source               destination          ports
TCP  110:34.94 ws-02.qixo.org       206.86.181.54        2495 (62319) -> 6000
TCP  119:58.80 ws-02.qixo.org       206.86.181.54        2498 (62322) -> 6000
TCP  110:35.02 ws-02.qixo.org       206.86.181.54        2499 (62323) -> 6000
TCP  110:35.16 ws-02.qixo.org       206.86.181.54        2500 (62324) -> 6000
[root@vs-00 /root]#

 

Output of ipchains -L

=====================

 

[root@vs-00 /root]# ipchains -L
Chain input (policy ACCEPT):
target     prot opt     source                destination           ports
-          tcp  -y----  anywhere             192.168.1.0           any ->   www
ACCEPT     all  ------  anywhere             anywhere              n/a
ACCEPT     tcp  ------  anywhere             www.qixo.org          any ->   www
ACCEPT     tcp  ------  anywhere             www.qixo.org          any ->   domain
ACCEPT     udp  ------  anywhere             www.qixo.org          any ->   domain
ACCEPT     tcp  ------  anywhere             www.qixo.org          any ->   ssh
ACCEPT     tcp  ------  anywhere             www.qixo.org          any ->   ssh
ACCEPT     tcp  ------  anywhere             www.qixo.org          any ->   telnet
Chain forward (policy ACCEPT):
target     prot opt     source                destination           ports
MASQ       all  ------  192.168.1.0/24       anywhere              n/a
ACCEPT     all  ------  192.168.1.0/24       192.168.1.0/24        n/a
ACCEPT     all  ------  216.200.192.0/24     192.168.1.0/24        n/a
Chain output (policy ACCEPT):
target     prot opt     source                destination           ports
ACCEPT     all  ------  anywhere             anywhere              n/a
[root@vs-00 /root]#

 

 

 

I can not figure out what in the hell the problem is. No matter what I do, including rebooting, I can not clear out the entries listed in ipchains -M -L. It continuosly shows ws-02 as being the only allowed entry.

 

Anyone got a clue here?

 

---
David D.W. Downey                    RHCE, UNIX/Linux/Win 9x Administrator
Linux Systems Administrator       Member OSWG, LPI, SAGE, HTML Writers Guild
QIXO, Inc.                                  Certified Internet Security Specialist
http://www.QIXO.com                  W: (408) 514-6400   F: (408) 516-9090