LVS
lvs-users
[Top] [All Lists]
Google
 
Web LinuxVirtualServer.org
<prev [Date] next> <prev [Thread] next>

Re: [ot] problems with priority routing + masq + ntp.

from [tc lewis] [Permanent Link]
To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject: Re: [ot] problems with priority routing + masq + ntp.
Cc: lartc@xxxxxxxxxxxxxxx, tc lewis <tcl@xxxxxxxxx>
From: tc lewis <tcl@xxxxxxxxx>
Date: Thu, 16 Nov 2000 19:56:55 -0500 (EST) 
so, instead of:

> [root@phl /root]# /sbin/ip rule show
> 0:      from all lookup local 
> 32766:  from all lookup main 
> 32767:  from all lookup 253 
> 33000:  from 192.168.1.0/24 lookup 100 
> 34000:  from all lookup 200 
> [root@phl /root]# /sbin/ip route show table 100
> default via 192.168.1.1 dev eth0 
> [root@phl /root]# /sbin/ip route show table 200
> default via 64.211.224.161 dev eth0 


i tried:

[root@phl /root]# /sbin/ip rule show
0:      from all lookup local 
32766:  from all lookup main 
32767:  from all lookup 253 
33000:  from 64.211.224.160/28 lookup 200 
34000:  from all lookup 100 
[root@phl /root]# /sbin/ip route show table 100
default via 192.168.1.1 dev eth0 
[root@phl /root]# /sbin/ip route show table 200
default via 64.211.224.161 dev eth0 
[root@phl /root]# 

ie: instead of specifying 192.168.0/24 as gw 192.168.1.1 and having
64.211.224.161 be the default, i instead specified 64.211.224.160/28 as
gw 64.211.224.161 and left 192.168.1.1 as the default.

for some reason, ntp likes this.  i have no idea why.  it makes little
sense to me, but it works.  maybe ntp writes source addresses funny
somehow (but then it shouldn't have worked through normal masq) or maybe
iproute stuff is broken somehow (but everything else worked) or maybe i'm
just too inexperienced to realize i missed something.

nevertheless, that solved it, for those curious.

-tcl.



On Wed, 15 Nov 2000, tc lewis wrote:

> 
> not much of an lvs issue again, but hey, you guys are smart.
> 
> i've got a machine that i'm using as a mail server and name server behind
> lvs using dr.  that machine also needs to get to the outside world, but it
> doesn't have a real ip, so it goes through a separate masq server for
> that.  all works well, but not now that i'm trying to make it an ntp
> server also.  here's the setup:
> 
> jfk: lvs
> lga: masq
> phl: real server in question.
> 
> - - - - -
> 
> jfk: 192.168.1.2 on eth1.  a few real ips on eth2 for incoming service
> requests which get directed to misc real servers.  gateway 64.211.224.161
> via eth2:
> 
> [root@jfk /root]# /sbin/route -n
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
> 64.211.224.166  0.0.0.0         255.255.255.255 UH    0      0        0 eth2
> 192.168.1.2     0.0.0.0         255.255.255.255 UH    0      0        0 eth1
> 64.211.224.165  0.0.0.0         255.255.255.255 UH    0      0        0 eth2
> 64.211.224.162  0.0.0.0         255.255.255.255 UH    0      0        0 eth2
> 64.211.224.163  0.0.0.0         255.255.255.255 UH    0      0        0 eth2
> 192.168.0.2     0.0.0.0         255.255.255.255 UH    0      0        0 eth2
> 64.211.224.160  0.0.0.0         255.255.255.240 U     0      0        0 eth2
> 192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
> 192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth2
> 127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
> 0.0.0.0         64.211.224.161  0.0.0.0         UG    0      0        0 eth2
> [root@jfk /root]# /sbin/ipchains -L -n ; /sbin/ipvsadm -L -n
> Chain input (policy ACCEPT):
> Chain forward (policy DENY):
> Chain output (policy ACCEPT):
> IP Virtual Server version 1.0.0-beta1 (size=4096)
> Prot LocalAddress:Port Scheduler Flags
>   -> RemoteAddress:Port          Forward Weight ActiveConn InActConn
> UDP  64.211.224.162:53 lc
>   -> 192.168.1.11:53             Route   1      0          0         
> UDP  64.211.224.163:53 lc
>   -> 192.168.1.12:53             Route   1      0          0         
> TCP  64.211.224.166:22 lc
>   -> 192.168.1.21:22             Route   1      1          0         
> TCP  64.211.224.166:25 lc
>   -> 192.168.1.21:25             Route   1      0          0         
> TCP  64.211.224.165:80 lc persistent 360
>   -> 192.168.1.101:80            Route   1      0          0         
>   -> 192.168.1.102:80            Route   1      0          0         
> [root@jfk /root]# cat /etc/sysctl.conf 
> # Disables packet forwarding
> net.ipv4.ip_forward = 1
> # Enables source route verification
> net.ipv4.conf.all.rp_filter = 1
> # Disables automatic defragmentation (needed for masquerading, LVS)
> net.ipv4.ip_always_defrag = 0
> # Disables the magic-sysrq key
> kernel.sysrq = 1
> 
> # -tcl.
> net.ipv4.conf.all.send_redirects = 0
> net.ipv4.conf.eth1.send_redirects = 0
> net.ipv4.conf.eth2.send_redirects = 0
> #
> 
> - - - - -
> 
> lga: 192.168.1.1 on eth1.  a few real ips on eth2 for outgoing
> masquerading.  gateway 64.211.224.161 on eth2.
> 
> [root@lga /root]# /sbin/route -n
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
> 192.168.1.1     0.0.0.0         255.255.255.255 UH    0      0        0 eth1
> 64.211.224.167  0.0.0.0         255.255.255.255 UH    0      0        0 eth2
> 64.211.224.164  0.0.0.0         255.255.255.255 UH    0      0        0 eth2
> 192.168.0.1     0.0.0.0         255.255.255.255 UH    0      0        0 eth2
> 64.211.224.160  0.0.0.0         255.255.255.240 U     0      0        0 eth2
> 192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
> 192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth2
> 127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
> 0.0.0.0         64.211.224.161  0.0.0.0         UG    0      0        0 eth2
> [root@lga /root]# /sbin/ipchains -L -n ; /sbin/ipvsadm -L -n
> Chain input (policy ACCEPT):
> Chain forward (policy DENY):
> target     prot opt     source                destination           ports
> MASQ       all  ------  192.168.1.41         0.0.0.0/0             n/a
> MASQ       all  ------  192.168.1.21         0.0.0.0/0             n/a
> Chain output (policy ACCEPT):
> [root@lga /root]# cat /etc/sysctl.conf 
> # Disables packet forwarding
> net.ipv4.ip_forward = 1
> # Enables source route verification
> net.ipv4.conf.all.rp_filter = 1
> # Disables automatic defragmentation (needed for masquerading, LVS)
> net.ipv4.ip_always_defrag = 0
> # Disables the magic-sysrq key
> kernel.sysrq = 1
> 
> # -tcl.
> net.ipv4.conf.all.send_redirects = 0
> net.ipv4.conf.eth1.send_redirects = 0
> net.ipv4.conf.eth2.send_redirects = 0
> #
> 
> - - - - -
> 
> phl: 192.168.1.21 on eth0.  other 192.168.1 addresses on eth0 also.  lots
> of other ips on other interfaces for internal network stuff.  no gateway
> in the routing table -- that's handled with iproute2 so that requests via
> lvs go back through the 64.211.224.161 gateway directly, but connections
> originating on phl go through 192.168.1.1 for masquerading.  this config
> works for incoming dns and mail requests, and works for outgoing traffic
> such as nameservice requests, outgoing mail, pings, and other normal
> outgoing traffic.
> 
> [root@phl /root]# /sbin/route -n
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
> 192.168.2.10    0.0.0.0         255.255.255.255 UH    0      0        0 eth1
> 192.168.2.13    0.0.0.0         255.255.255.255 UH    0      0        0 eth1
> 192.168.1.21    0.0.0.0         255.255.255.255 UH    0      0        0 eth0
> 192.168.3.21    0.0.0.0         255.255.255.255 UH    0      0        0 eth2
> 64.211.224.162  0.0.0.0         255.255.255.255 UH    0      0        0 lo
> 64.211.224.163  0.0.0.0         255.255.255.255 UH    0      0        0 lo
> 192.168.2.14    0.0.0.0         255.255.255.255 UH    0      0        0 eth1
> 192.168.1.11    0.0.0.0         255.255.255.255 UH    0      0        0 eth0
> 192.168.1.10    0.0.0.0         255.255.255.255 UH    0      0        0 eth0
> 192.168.3.10    0.0.0.0         255.255.255.255 UH    0      0        0 eth2
> 192.168.1.13    0.0.0.0         255.255.255.255 UH    0      0        0 eth0
> 192.168.3.13    0.0.0.0         255.255.255.255 UH    0      0        0 eth2
> 192.168.2.21    0.0.0.0         255.255.255.255 UH    0      0        0 eth1
> 192.168.1.12    0.0.0.0         255.255.255.255 UH    0      0        0 eth0
> 192.168.1.14    0.0.0.0         255.255.255.255 UH    0      0        0 eth0
> 192.168.3.14    0.0.0.0         255.255.255.255 UH    0      0        0 eth2
> 64.211.224.160  0.0.0.0         255.255.255.240 U     0      0        0 eth0
> 192.168.3.0     0.0.0.0         255.255.255.0   U     0      0        0 eth2
> 192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
> 192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
> 127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
> [root@phl /root]# /sbin/ip rule show
> 0:      from all lookup local 
> 32766:  from all lookup main 
> 32767:  from all lookup 253 
> 33000:  from 192.168.1.0/24 lookup 100 
> 34000:  from all lookup 200 
> [root@phl /root]# /sbin/ip route show table 100
> default via 192.168.1.1 dev eth0 
> [root@phl /root]# /sbin/ip route show table 200
> default via 64.211.224.161 dev eth0 
> [root@phl /root]# cat /etc/sysctl.conf 
> # Disables packet forwarding
> net.ipv4.ip_forward = 1
> # Enables source route verification
> net.ipv4.conf.all.rp_filter = 1
> # Disables automatic defragmentation (needed for masquerading, LVS)
> net.ipv4.ip_always_defrag = 0
> # Disables the magic-sysrq key
> kernel.sysrq = 1
> 
> # -tcl.
> net.ipv4.conf.all.send_redirects = 0
> net.ipv4.conf.eth0.send_redirects = 0
> net.ipv4.conf.all.hidden = 1
> net.ipv4.conf.lo.hidden = 1
> #
> 
> - - - - -
> 
> so that's the setup.  here's what happens when i try, for example, an
> ntpdate:
> 
> [root@phl /root]# /usr/sbin/ntpdate ntp.nasa.gov
> 15 Nov 18:10:25 ntpdate[1256]: no server suitable for synchronization found
> 
> tcpdump on phl:
> 18:10:21.231494   lo > 127.0.0.1.1025 > 127.0.0.1.domain: 14459+ A? 
> ntp.nasa.gov. (30)
> 18:10:21.231494   lo < 127.0.0.1.1025 > 127.0.0.1.domain: 14459+ A? 
> ntp.nasa.gov. (30)
> 18:10:21.231666   lo > 127.0.0.1.domain > 127.0.0.1.1025: 14459 2/0/0 CNAME 
> nsipo.nasa.gov., A 143.232.55.13 (66)
> 18:10:21.231666   lo < 127.0.0.1.domain > 127.0.0.1.1025: 14459 2/0/0 CNAME 
> nsipo.nasa.gov., A 143.232.55.13 (66)
> 18:10:21.331314 eth0 > 192.168.1.21.ntp > 143.232.55.13.ntp: v3 client strat 
> 0 poll 4 prec -6
> 18:10:22.331286 eth0 > 192.168.1.21.ntp > 143.232.55.13.ntp: v3 client strat 
> 0 poll 4 prec -6
> 18:10:23.331282 eth0 > 192.168.1.21.ntp > 143.232.55.13.ntp: v3 client strat 
> 0 poll 4 prec -6
> 18:10:24.331281 eth0 > 192.168.1.21.ntp > 143.232.55.13.ntp: v3 client strat 
> 0 poll 4 prec -6
> 
> tcpdump on lga and jfk reveal no traffic.
> 
> it should be getting to lga at least tho:
> 
> [root@phl /root]# /sbin/ip route get from 192.168.1.21 to 143.232.55.13     
> 143.232.55.13 from 192.168.1.21 via 192.168.1.1 dev eth0 
>     cache  mtu 1500 rtt 375ms
> 
> but it's not.
> i tried an ntpdate from another machine inside my network here on a
> machine with no advanced routing--just masquerading through 192.168.1.1
> (that 192.168.1.41 ip if you refer to lga's ipchains table), and it works
> as expected:
> 
> [root@ith /root]# /usr/sbin/ntpdate ntp.nasa.gov
> 15 Nov 18:13:51 ntpdate[6907]: adjust time server 143.232.55.13 offset 
> 0.071391 sec
> 
> 
> any ideas on what i may be missing here?
> 
> -tcl.
> 
> 
> 
>
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  LVS and another DOS defense strategy, Anush Elangovan
Next by Date:  Re: Alternatives to MON, Joseph Mack
Previous by Thread:  [ot] problems with priority routing + masq + ntp., tc lewis
Next by Thread:  LVS alternatives, Vladimir Dzhuvinov
Indexes:  [Date] [Thread] [Top] [All Lists]