LVS
lvs-users
[Top] [All Lists]
Google
 
Web LinuxVirtualServer.org
<prev [Date] next> <prev [Thread] next>

Re: Problems with LVS

from [David D.W. Downey] [Permanent Link]
To: Joseph Mack <mack.joseph@xxxxxxx>
Subject: Re: Problems with LVS
Cc: Nathan Polonski <Nathan.Polonski@xxxxxxxxxxxx>, "'lvs-users@xxxxxxxxxxxxxxxxxxxxxx'" <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
From: "David D.W. Downey" <david.downey@xxxxxxxxxxxxxxxxxxxxxxxx>
Date: Thu, 31 Aug 2000 14:00:54 -0500 (CDT) 
OK, hold up. which is it? You ARE supposed to be able to see the main
website from the back end machines or you are NOT supposed to be able to?

I have ipchains -A forward -s 192.168.1.0/24 -d 0.0.0.0/0 -j MASQ

in my rules like I'm supposed to and I can NOT see the main website unless
I use the actual backend IP of the machine(s) hosting the website.

Clarification on this if you please.



On Thu, 31 Aug 2000, Joseph Mack wrote:

> > Nathan Polonski wrote:
> 
> > >The only way for packets to get from the real-servers to
> > >outside is to be de-NAT'ed by the director
> > >according to the tables which set up the LVS. Services not under
> > >the control of LVS can be routed normally.
> > 
> > So are you saying that when I have this up and running, the IP masquerading
> > command,
> > "ipchains -A forward -j MASQ -s 192.168.xxx.xxx/24 -d 0.0.0.0"
> > will provide the necessary info for de-NAT'ing?
> 
> This is the way I setup my VS-NAT till recently and is 
> OK for a test setup and may even be OK for production. 
> 
> This will de-NAT (or reverse NAT, no-one has a good name for it yet)
> _all_ ports(services) from _all_ real-servers to the outside world,
> whether there is a corresponding entry for that service on that
> real-server in ipvsadm or not. 
> 
> If you were LVS'ing ftp and http, then you only need 
> to de-NAT ftp and http from the real-servers that are running them. 
> My script (on the LVS website, it doesn't handle director failover)
> does the following on the director, making an entry for each real-server
> and each service one at at time.
> 
> #to handle the services on real-server1
> ipchains -A forward -p tcp -j MASQ -s name_real-server1 ftp -d 0.0.0.0/0
> ipchains -A forward -p tcp -j MASQ -s name_real-server1 http -d 0.0.0.0/0
> 
> #to handle the services on real-server2
> #if real-server2 only had ftp then you'd run this line only
> ipchains -A forward -p tcp -j MASQ -s name_real-server2 ftp -d 0.0.0.0/0
> #but not a line for real-server2 with http.
> 
> If you wanted to telnet directly to/from the realservers (independantly
> of the LVS) you would be hosed in your case.
> 
> Joe
> 

-- 
David D.W. Downey
Systems Administrator
RHCE, CUA/CLA
Internet Security Specialist
QIXO.com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Problems with LVS, Joseph Mack
Next by Date:  Re: Problems with LVS, David D.W. Downey
Previous by Thread:  Re: Problems with LVS, Joseph Mack
Next by Thread:  Re: Problems with LVS, Joseph Mack
Indexes:  [Date] [Thread] [Top] [All Lists]