LinuxVirtualServer as firewall

To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject: LinuxVirtualServer as firewall
From: Josep Llaurado Selvas <darlock@xxxxxxxxx>
Date: 25 Mar 2002 16:53:45 +0100
Hi all, 

I'm trying to create a 'virtual-firewall' using linuxvirtualserver with
the following config: 

FW1 - r2d2 - DIP -
FW2 - c3po -     -
LVS -            -

   |         | 
  r2d2      c3po
  FW1       FW2 
   |         | 
Internet    Internet 

In a first step I'm using the FW1 as DIP and FW1 and FW2 as
real-servers. I'm trying to configure it following an apendix in the
LinuxVirtualServer FAQ, but I have no luck.

I'm not using the rc.lvs_dr, 'cos it doesn't match the Firewall aproach
I need, but using commands from it I have created a shell script as
# IPVS link up script

# Enabling ICMP Redirect requests
echo "1" > /proc/sys/net/ipv4/conf/all/send_redirects
echo "1" > /proc/sys/net/ipv4/conf/default/send_redirects
echo "1" > /proc/sys/net/ipv4/conf/eth0/send_redirects

# Enabling eth0:30
/sbin/ifconfig eth0:30 broadcast lvs netmask
/sbin/route add -host dev eth0:30

# Mask == 1
iptables -t mangle -A PREROUTING -i eth0 -p tcp -s -j
MARK --set-mark 1 

# Now, set up a virtual service to act on the marked packets
ipvsadm -D -f 1
ipvsadm -d -f 1 -r
ipvsadm -d -f 1 -r

ipvsadm -A -f 1 -s rr
ipvsadm -a -f 1 -r -g -w 1
ipvsadm -a -f 1 -r -g -w 1

I have the as LVS, using 192.168.15 and as
real-servers, aka firewalls. with a Round-Robin scheduler and I have
added the mangle rule to mark with 0x1 the packets from my Intranet.

The ipvsadm output is:
IP Virtual Server version 1.0.0 (size=32768)
Prot LocalAddress:Port Scheduler Flags
  -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
FWM  1 rr
  -> r2d2.gaia:0                  Local   1      0          0         
  -> c3po.gaia:0                  Route   1      0          0         

In a testing client maquine I get the next routing table:
jllaurado@jllaurado:~$ sudo route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface   U     0      0        0
eth0         UG    0      0        0

Well, my problem is I can't get connections to the routed firewall, all
the connections are trough the FW1 (the DIP), and the ipvsadm shows 0

What I'm doing wrong? It's this use correct of LinuxVirtualServer or
it's well implemented? Or I'm fool and I don't understand anything about
this software? (I know I'm not an expert :-)


Josep Llauradó Selvas                   darlock@xxxxxxxxx
              Linux Registered User #153481
The only "intuitive" interface is the nipple.
After that, it's all learned.
(in comp.os.linux.misc, on X interfaces.)

<Prev in Thread] Current Thread [Next in Thread>