Topology:
[Master DNS Server]
|
{Internet}
|
[Router]
| 65.172.141.1
|
| eth0 65.172.141.3
[IPVS Firewall] RH72 (patched 2.4.16 and default RH 2.4.7-10)
| eth1 172.16.1.3
|
| eth0 172.16.1.8
[Slave DNS Server] (BIND 9.2.0)
Firewall has a default gateway of 65.172.141.1.
Slave DNS server has a default gateway of 172.16.1.3.
There are no other systems on that network yet.
IPVS Netfilter 0.8.2 stable patch compiled into the 2.4.16 kernel.
IPVS Admin 1.17 stable.
The setup script I'm using to do my test setup:
Script Start (excluding any word wrap)
vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
#!/bin/sh
iptables -t filter -F
iptables -t filter -X
iptables -t filter -P INPUT ACCEPT
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -P FORWARD ACCEPT
iptables -t nat -F
iptables -t nat -X
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t mangle -F
iptables -t mangle -X
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
iptables -t filter -A FORWARD -p all -i eth1 -s 172.16.1.0/24 -d 0/0 -m
state --state NEW,ESTABLISHED,RELATE -j ACCEPT
iptables -t nat -A PREROUTING -p all -i eth1 -s 172.16.1.0/24 -d 0/0 -m
state --state NEW,ESTABLISHED,RELATE -j ACCEPT
iptables -t nat -A POSTROUTING -p all -o eth0 -s 172.16.1.0/24 -d 0/0 -m
state --state NEW,ESTABLISHED,RELATE -j MASQUERADE
# vvv - also tried and failed - vvv
#iptables -t filter -A FORWARD -p all -i eth1 -s 172.16.1.0/24 -d 0/0 -j
ACCEPT
#iptables -t nat -A PREROUTING -p all -i eth1 -s 172.16.1.0/24 -d 0/0 -j
ACCEPT
#iptables -t nat -A POSTROUTING -p all -o eth0 -s 172.16.1.0/24 -d 0/0 -j
MASQUERADE
ifconfig eth0:8 65.172.141.8 netmask 255.255.255.0 -broadcast 65.172.141.0
#just to make sure things are clean.
ipvsadm -D -u 65.172.141.3:53
ipvsadm -D -u 65.172.141.8:53
ipvsadm -D -t 65.172.141.3:53
ipvsadm -D -t 65.172.141.8:53
#tcp test for oustide connections.
#does note affect inside->outside tcp connections.
ipvsadm -A -t 65.172.141.8:53 -s wlc
ipvsadm -a -t 65.172.141.8:53 -r 172.16.1.8:53 -m
ipvsadm -A -u 65.172.141.8:53 -s wlc
#vvv - non-ipvs udp inside->outside fails when this line added - vvv
ipvsadm -a -u 65.172.141.8:53 -r 172.16.1.8:53 -m
#show me
ipvsadm -Ln
End script^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Issue:
I'm trying to set up a clustered DNS server using NAT (keeping it simple
first, though).
My name servers behind the IPVS Firewall will be slave servers for the time
being.
My problem is that with the "ipvsadm -a -u 65.172.141.8:53 -r 172.16.1.8:53
-m" statement in place, the slave DNS server cannot do zone transfers from
the master DNS server. If I execute the script without that line, the
slave DNS server will do zone transfers without any problems, so
connectivity is working properly (but without that line I have no
clustering abilities nor outside access).
It appears that all outgoing UDP packets (not incomming through the VIP
address) get dropped when the "ipvsadm -a -u 65.172.141.8:53 -r
172.16.1.8:53 -m" line is in place. TCP connections from the slave DNS
server going out seem to work fine, though.
I would not think this to happen as IPVS is supposed to work with the
connections table and not do anything that is not in the IPVS table???
Can someone help me with this?
Thx/B++
|