|
hi gang,
I want to the following situation: from a certain known source ip/netblock,
redirect packets that are destined to the VIP to a different server. My
example use is to redirect requests for port 80 from corp to our staging
server instead of production.
I had thought this would be a simple manner of adding an ipchains redirect
rule prior to VIP rules, but it appears that somewhere along the way there
is a problem. tcpdumps seem to not log anything.
a little more concretely, here is my vision ...
1.) client requests connection:
50.50.50.50 (corp) -> 100.100.100.100:80 (VIP-production)
2.) LVS (active) box follows matching IP rule and redirects to port 81
VIP:80 -> VIP:81
3.) LVS new VIP that I have setup follows its configuration and sends client
to staging server
VIP:81 -> VIP:81 @ staging box (staging is 100.100.100.105)
4.) Staging server redirects to port 80 local
VIP:81 -> Staging:80
5.) Normal handshaking occurs, etc.
I have verified up to step #2 through ipchains -L -nv packet counting of
each rule. I can't seem to verify anything further via tcpdump. I believe
the problem is one of two possibilities..
a.) LVS is somehow taking control of the packet before redirect statement
b.) my redirect statement on the LVS-director is somehow wrong. here it
is..
/sbin/ipchains -A input -i eth1:0 -j REDIRECT 81 -s $CORP -d $VIP 80 -p tcp
Can I solve this problem with packet marking? I have a setup in production
(keepalived, mon, transparent redirects on application servers) and I would
rather not modify if possible.
Thanks!
Peter
|
