No problem.
I do beleive you ! :)
On Tue, 16 Oct 2001 13:08:44 +0300 (EEST)
Julian Anastasov <ja@xxxxxx> wrote:
:)
:) Hello,
:)
:)On Tue, 16 Oct 2001, Djamil ESSAISSI wrote:
:)
:)> :)> :)director# tcpdump -ln -i INDEV host CIP
:)
:) The device where the request packet comes from client
:)
:)
:) The eth device where the IPIP packets go from director
:)to real server (may be eth0 again). If you have only one NIC everywhere
:)then replace them with eth0.
:)
:)> :) Do you have the tcpdump on OUTDEV? Your config looks ok but
:)> :)I'm still not sure where the traffic stops. You provide only trace
:)> :)from one point which is obvious to work.
:)>
:)> (*** just in case i'm wrong what do u mean by INDEV OUTDEV ?)
:)
:) eth0
:)
:)>
:)> :)
:)> :)> :)real server# tcpdump -ln -i IN_ETH host DIP
:)> :)> :)real server# tcpdump -ln -i tunl0 host CIP
:)> :)> :)real server# tcpdump -ln -i OUT_DEV host CIP
:)> :)> :)
:)> :)
:)> (*** here too)
:)>
:)> i've sent the only tcpdumps that actually got something !
:)
:) IPVS should generate IPIP packet:
:)
:) director# tcpdump -ln -i OUTDEV host RIP
:)
:) Then the IPIP packet from IPVS with saddr=DIP daddr=RIP
:)is not sent. Check you firewall.
:)
:) If in doubt, check LVS-TUN on LAN. Then you will see how
:)the packets look. Then again use remote RIP.
:)
:)> :) On the real server use:
:)> :)
:)> :)echo 1 > /proc/sys/net/ipv4/ip_forward
:)> :)echo 1 > /proc/sys/net/ipv4/conf/all/hidden
:)> :)echo 1 > /proc/sys/net/ipv4/conf/lo/hidden
:)> :)ifconfig lo:153 212.43.218.153 netmask 255.255.255.255 up
:)> :)
:)> :)# insert it if it is compiled as module:
:)> :)insmod ipip
:)> :)ifconfig tunl0 up
:)> :)
:)>
:)> now this is not like docs/examples say !
:)
:) You don't believe me :)
:)
:) It is in the html you posted first time:
:)http://www.linuxvirtualserver.org/VS-IPTunneling.html
:)
:) There is similar example with adding VIP to dummy0 device.
:)
:) Here is the exact example:
:)
:)---------------------------------------------------------
:) echo 1 > /proc/sys/net/ipv4/ip_forward
:) # insert it if it is compiled as module
:) insmod ipip
:) ifconfig tunl0 up
:) ifconfig dummy0 up
:) echo 1 > /proc/sys/net/ipv4/conf/all/hidden
:) echo 1 > /proc/sys/net/ipv4/conf/dummy0/hidden
:) ifconfig dummy0:0 172.26.20.110 up
:) route add -host 172.26.20.110 dev dummy0:0
:) ifconfig dummy0:1 <Another-VIP> up
:)---------------------------------------------------------
:)
:) I only changed it for you. As you see, there is no IPs on
:)tunl0. The kernel sends the IPIP traffic detected on eth0 for
:)decapsulation in tunl0 and then the sockets receive it from tunl0.
:)
:)> it doenst say about ifconfig lo, nor ifconfig tunl0 up without ip ?!
:)>
:)> and the hiding should not apply to my config ?!
:)
:) I already said you why it can apply: The RS's gateway may
:)not answer ARP "who has RSGW tell VIP". But it should if the normal
:)traffic with saddr=VIP is passed.
:)
:)> <<--i'm not arguing you but just telling you that i'm getting confused
:)! :) -->>
:)>
:)> :)To check whether packets with src=VIP exit from your RS's gateway
:)use
:)> :)something like:
:)> :)
:)> :)traceroute -n -s 212.43.218.153 192.252.175.157
:)> :)
:)>
:)> looks like we spoted "a" problem , this doesnt work , i'm gonne have
:)to play again with the firewall !
:)
:) Yes, you will not see that the traceroute prints the hops but
:)with tcpdump you should detect whether the traceroute's packets reach
:)the client. Wait traceroute to send packets with enough big IP TTL (30
:)lines with stars) and at the same time run tcpdump on the client:
:)
:)client# tcpdump -n host VIP
:)
:) If the client sees packets in the form Proto=UDP saddr=VIP
:)daddr=CIP, then your RS's ISP allows spoofed traffic with src=VIP.
:)You already know that the client sends all traffic to VIP to the
:)director, so you should not expect the ICMP replies to from client to
:)reach the real server and to make your traceroute happy.
:)
:) That's all you need to check. Now you can reread the thread.
:)Then we can talk again for any LVS-TUN settings.
:)
:)> yup thank god we dont really depend on an ISP, we're hoocked to the
:)bone in a datacenter ... we control all our stuff ...so it's a matter of
:)some time ....
:)>
:)> thank you again for the help ....
:)>
:)> i'm following this mailing list very closely as i discover how
:)privilieged we are in doing this good stuff.
:)>
:)> grutz.
:)>
:)> Dj
:)
:)Regards
:)
:)--
:)Julian Anastasov <ja@xxxxxx>
:)
:)
:)_______________________________________________
:)LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
:)Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
:)or go to http://www.in-addr.de/mailman/listinfo/lvs-users
:)
--
Djamil ESSAISSI
Tel:01.58.64.22.44 - Fax:01.58.64.26.81
System Administrateur / Support Technique
www.francexpress.com - www.serveur-express.com
|