On Wed, 29 Aug 2001, Julian Anastasov wrote:
>
> Hello,
>
> On Wed, 29 Aug 2001, Pawel Kisiel wrote:
>
> > I have the direct routing from 10.10.0.0/24 to 10.10.1.0/24
> > and 1 real IP on LVS-NAT. I have mapped port using ipvsadm
>
> OK, the real question is Why you need NAT? Forget it. Run
> LVS-DR instead. With little settings (you are iptables fan) you
> can hide your real servers for the other traffic and just to
> allow access to the served ports. Then you will need the patch
> that allows the LVS box to be a gateway for the replies from
> the real servers, you need forward_shared-2.4.5-1.diff from
> http://www.linuxvirtualserver.org/~julian/
so You mean that to use iptables to DNAT to the internal machines?
If it is so.... I had problems with DNAT on iptables.....it didn't
forwarded to the internal machines..like should do......
I was doing sth like that:
iptables -t nat -A PREROUTING -p tcp -d world_ip --dport 80 -j \
DNAT --to 5.6.7.8:8080 ?!?! is it good? I think it should be good
but it didn't worked :((
Does this patch solve problems with arps in LVS-DR mode ?
My machines that are hidden are linux boxes and win2k...so will it work??
I know that with LVS-NAT id doesn't matter what kind of OS'es I'm
using but in the other ones it does!......
>
> This patch allows the director to forward packets with local source (VIP)
> when they come from the real servers (the input device).
My real server will still have private range of ip addresess?
Am I right ?
> Then you will have identical setup with LVS-NAT. I assume you filter the
> spoofed packets before the LVS box. If the LVS box is your firewall
> you have to use two switched hubs, to split the internal from the external
> networks. BTW, this is true even without using this patch. This patch
> does not require higher level of security compared to the normal DR
> or NAT setups.
The only change to the configuration will be to change the -m to -g ??
>
> There are so many ways to break the things. Really, I don't
> know what you have done. You have first -j MASQ for -s 10.10.1.0/24 port 80
> for example and then -j ACCEPT for -s 10.10.1.0/24? How you control
> when to SNAT and when not to SNAT between these private networks. The
> LVS-NAT methos you are using requires the packets to be NAT-ed in both
> directions. If you want to check everything you can start with
> tcpdump outputs on all hosts:
for FORWARDING
iptables -A FORWARD -s 10.10.0.0/24 -d 10.10.1.0/24 -j ACCEPT
iptables -A FORWARD -s 10.10.1.0/24 -d 10.10.0.0/24 -j ACCEPT
for SNATING
iptables -t nat -A POSTROUTING -s 10.10.1.0/24 -d ! 10.10.0.0/24 -j SNAT
--to world_ips
Correct me if I'm wrong with these roules.....?
Pawel Kisiel
|