|
Hello,
On Thu, 1 Mar 2001, Joseph Mack wrote:
> > The above rule is used to masquerade and not to demasquerade.
> > So, it is needed only when NAT-ed real servers are used. For DR you don't
> > need it.
>
> yes understand
>
> In 2.2.x if I was VS-NAT'ing http, then I would also run
>
> ipchains -A forward -p tcp -j MASQ -s realserver_name http -d 0.0.0.0/0
>
> to masquerade the http replies.
Right.
> With this arrangement, telnet initiated from the real-server would go
> out without being masqueraded.
Yes.
> > > Are you saying this wasn't neccessary in 2.2.x?
> >
> > It is neccessary in 2.2. But that does not mean LVS masquerades
> > other connections. The ipchains rule in 2.2 simply feeds the LVS and
> > the MASQ code with packets (it is in the FORWARD chain) while in 2.4
> > LVS hooks in the FORWARDing to check the packets and eventually to
> > masquerade them. The other packets are not masqueraded.
>
> Are you saying that in 2.4.x if I setup VS-NAT for http, then
> http will be masqueraded from the real-server without having
> to run ipchains commands, but that other services are not affected.
> ie telnet from the real-server will go out without masquerading?
Nice feature :) LVS can work without ipchains -j MASQ or
iptables -t nat ... We need these NAT rules only to NAT another
traffic, in your case the telnet which is not a LVS service.
> Joe
Regards
--
Julian Anastasov <ja@xxxxxx>
|
