Here is what my lvs-dr setup looks like:
| clients |
|
| router | (running SNAT)
|
VIP=192.168.1.110 (eth0, arps)
|
| director |
|
DIP=10.1.1.1 (eth1, arps)
|
-------------------------------------
| | |
RIP1=10.1.1.2 RIP2=10.1.1.3 RIP3=10.1.1.4 (eth0)
VIP=192.168.1.110 VIP=192.168.1.110 VIP=192.168.1.110 (all lo:0, can arp)
| realserver | | realserver | | realserver |
| | |
(router) (router) (router)
| | |
----------------------------------------------> to client
Some incoming traffic from clients needs to bypass the LVS and go directly to
one or another realserver. I am doing this by assigning a unique port number
to each realserver and then using iptables DNAT to redirect accordingly:
server port
realserver1 9001
realserver2 9002
realserver3 9003
The catch is this: for logistical reasons I want to run this rule on the
director, NOT on the router. So I put this ruleset on the router:
$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 9001 -j DNAT --to
<director>
$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 9002 -j DNAT --to
<director>
$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 9003 -j DNAT --to
<director>
where <director> can be either the VIP or the DIP
On the director I want to run the DNAT redirect:
$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 9001 -j DNAT --to
realserver1
$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 9002 -j DNAT --to
realserver2
$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 9003 -j DNAT --to
realserver3
Yet this is not working. It does work if I move the last 3 rules onto the
router. I am trying to figure out why and if there is a way to have the
director do the redirecting.
--
Daniel O'Neill
Systems Engineer
djoneill@xxxxxxxxxxxxxxxxx
415.644.9600 ext. 238 tel.
415.644.0015 fax
|