Thanks for the info. I've double checked a lot of things as a result of
this post and now have itables running correctly. I'm also fairly confident
that the problem is in getting the RS's response back to the client. I'm
pretty sure I need a SNAT rule...
> is your default gw set for Masq? (read the HOWTO)
Okay, according to the HOWTO I need to setup a MASQ command (ipchains talk)
to allow my realservers to communicate with the outside world. Here's a
snippet:
----------------------------------------------------------------------------
------
To get the packet from the director to the client, you have to reverse the
masquerading done by the LVS. To do this, on the director you add an
ipchains rule
director:# ipchains -A forward -p tcp -j MASQ -s realserver1 telnet -d
0.0.0.0/0
If the director has multiple IPs facing the outside world (eg
eth0=192.168.2.1 the regular IP for the director and eth0:1=192.168.2.110
the VIP), the masquerading code has to choose the correct IP for the
outgoing packet. Only the packet with src_addr=VIP will be accepted by the
client. A packet with any other scr_addr will be dropped. The normal default
for masquerading (eth0) should not be used in this case. The required m_addr
(masquerade address) is the VIP.
----------------------------------------------------------------------------
-----
I'm using iptables though and I believe, from what I've read, that I
actually need a SNAT instead of MASQ...anyone good with iptables please
confirm. However, I'm not sure of the exact syntax to do this. I'm
assuming this is a pretty basic iptables thing but my attempts are not
working. I'm hoping someone else on this list has done this and knows how
to this should read. I've tried several variations of what I think might
work but haven't been able to find any good examples of the SNAT syntax out
there.
Basically I need my RS1 and RS2 to SNAT to my VIP...these are all restricted
addresses:
RS1:10.200.200.1
RS2:10.200.200.2
VIP:10.10.21.68
I'm using port 80 for web for this rule. I'm pretty sure my ipvsadm stuff
is all correct and that the problem is just getting the packets back to the
client. When my client tries to connect I see InActvConn go to 1 but it
times out after 1 minute.
Any advice on how to do this with iptables is greatly appreciated.
Mark
|