Joe,
----- Original Message -----
From: "Joseph Mack" <mack.joseph@xxxxxxx>
To: <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Sent: Friday, January 19, 2001 3:00 PM
Subject: Re: Setting up a one network VS-NAT LVS
> Ivan Figueredo wrote:
> >
> > I also am not able to ftp to realserver from client.
>
> when you set up your masq rules with ipchains on the director,
> you probably masqueraded all ports. This means that any packets
> coming from the real-servers will be masqueraded, even if they
> aren't from services that have been LVS'ed on the way in.
I am beginning to get he hang of it. I see...
> Neat security feature huh? You can't connect to any services
> on the real-servers, except those that have been LVS'ed :-(
Yes!
> Instead for each service that is being LVS'ed, on the director you
> set up masquerading by running a line like this.
>
> director:# ipchains -A forward -p tcp -j MASQ -s realserver_name
service -d
> 0.0.0.0/0
If I have already entered:
[root@wee2 httpd]# ipchains -A forward -j MASQ -s 192.168.168.0/24 -d
0.0.0.0/0
*and* I now enter your ipchains command above, will the new one override the
old one? Or do they both become in effect, matching the last one, etc?
> where service = telnet, http
>
> My configure script (on the web site) does this for you.
> It doesn't handle the 1 net VS-NAT LVS (yet). To do this
> you'll need to run the send_redirects on the director,
> and set up the routes on the real-servers(s) first.
I think I have already done this, as it was part of your e-mail that stared
this thread, no?
Thx,
Ivan
> Joe
> --
> Joseph Mack PhD, Senior Systems Engineer, Lockheed Martin
> contractor to the National Environmental Supercomputer Center,
> mailto:mack.joseph@xxxxxxx ph# 919-541-0007, RTP, NC, USA
>
> _______________________________________________
> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://www.in-addr.de/mailman/listinfo/lvs-users
>
|