|
Julian Anastasov wrote:
>
> Hello,
>
> On Thu, 1 Mar 2001, Joseph Mack wrote:
>
> > Julian Anastasov wrote:
> >
> > > > in 2.4.x VS-NAT, are all ports from the real-server masqueraded or only
> > > > the ports for the services that LVS is controlling?
> > >
> > > LVS masquerades only its connections, even in 2.2.
> >
> >
> > In 2.2.x, I setup VS-NAT by running ipvsadm commands for a service
> > and then a complementary ipchains command like
> >
> > ipchains -A forward -p tcp -j MASQ -s realserver_name service_name -d
> > 0.0.0.0/0
> >
> > to demasquerade the service.
>
> The above rule is used to masquerade and not to demasquerade.
> So, it is needed only when NAT-ed real servers are used. For DR you don't
> need it.
yes understand
In 2.2.x if I was VS-NAT'ing http, then I would also run
Julian Anastasov wrote:
>
> Hello,
>
> On Thu, 1 Mar 2001, Joseph Mack wrote:
>
> > Julian Anastasov wrote:
> >
> > > > in 2.4.x VS-NAT, are all ports from the real-server masqueraded or only
> > > > the ports for the services that LVS is controlling?
> > >
> > > LVS masquerades only its connections, even in 2.2.
> >
> >
> > In 2.2.x, I setup VS-NAT by running ipvsadm commands for a service
> > and then a complementary ipchains command like
> >
> > ipchains -A forward -p tcp -j MASQ -s realserver_name service_name -d
> > 0.0.0.0/0
> >
> > to demasquerade the service.
>
> The above rule is used to masquerade and not to demasquerade.
> So, it is needed only when NAT-ed real servers are used. For DR you don't
> need it.
>
> > Are you saying this wasn't neccessary in 2.2.x?
>
> It is neccessary in 2.2. But that does not mean LVS masquerades
> other connections. The ipchains rule in 2.2 simply feeds the LVS and
> the MASQ code with packets (it is in the FORWARD chain) while in 2.4
> LVS hooks in the FORWARDing to check the packets and eventually to
> masquerade them. The other packets are not masqueraded. For 2.4
> netfilter NAT rules are needed to masquerade other connections,
> not related to LVS.
>
> > Joe
> >
> > --
> > Joseph Mack PhD, Senior Systems Engineer, Lockheed Martin
> > contractor to the National Environmental Supercomputer Center,
> > mailto:mack.joseph@xxxxxxx ph# 919-541-0007, RTP, NC, USA
>
> Regards
>
> --
> Julian Anastasov <ja@xxxxxx>
ipchains -A forward -p tcp -j MASQ -s realserver_name http -d 0.0.0.0/0
to masquerade the http replies.
With this arrangement, telnet initiated from the real-server would go
out without being masqueraded.
> > Are you saying this wasn't neccessary in 2.2.x?
>
> It is neccessary in 2.2. But that does not mean LVS masquerades
> other connections. The ipchains rule in 2.2 simply feeds the LVS and
> the MASQ code with packets (it is in the FORWARD chain) while in 2.4
> LVS hooks in the FORWARDing to check the packets and eventually to
> masquerade them. The other packets are not masqueraded.
Are you saying that in 2.4.x if I setup VS-NAT for http, then
http will be masqueraded from the real-server without having
to run ipchains commands, but that other services are not affected.
ie telnet from the real-server will go out without masquerading?
> For 2.4
> netfilter NAT rules are needed to masquerade other connections,
> not related to LVS.
Joe
--
Joseph Mack PhD, Senior Systems Engineer, Lockheed Martin
contractor to the National Environmental Supercomputer Center,
mailto:mack.joseph@xxxxxxx ph# 919-541-0007, RTP, NC, USA
|
