LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: Redirecting with iptables/DNAT on director with lvs-dr

To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject: Re: Redirecting with iptables/DNAT on director with lvs-dr
From: "Daniel O'Neill" <djo@xxxxxxxxxxxxxxxxxxxxxx>
Date: Thu, 27 Jun 2002 11:14:30 -0700
One note on this: this would be a not untypical setup for anyone who is running 
at  colo and, in addition to load-balanced services, also needs clients to 
connect to specific realservers.  In this case we only want the colo to forward 
a live ip address to our VIP and then from there we should be able to takeover 
with our own redirect rules.

I will keep experimenting with this.  


On Mon, Jun 24, 2002 at 05:48:15PM -0700, djo@xxxxxxxxxxxxxxxxxxxxxx wrote:
> Here is what my lvs-dr setup looks like:
> 
>                        | clients |
>                            |
>                        | router | (running SNAT)
>                            |
>                  VIP=192.168.1.110 (eth0, arps)
>                          |
>                      | director |
>                          |
>                      DIP=10.1.1.1 (eth1, arps)
>                            |
>           -------------------------------------
>           |                |                  |
>    RIP1=10.1.1.2     RIP2=10.1.1.3     RIP3=10.1.1.4 (eth0)
>    VIP=192.168.1.110 VIP=192.168.1.110 VIP=192.168.1.110 (all lo:0, can arp)
>   | realserver  |   | realserver  |    | realserver  |
>           |                |                  |
>       (router)          (router)           (router)
>           |                |                  |
>           ----------------------------------------------> to client
> 
> Some incoming traffic from clients needs to bypass the LVS and go directly to 
> one or another realserver.  I am doing this by assigning a unique port number 
> to each realserver and then using iptables DNAT to redirect accordingly:
> 
> server                        port
> 
> realserver1           9001
> realserver2           9002
> realserver3           9003
> 
> The catch is this: for logistical reasons I want to run this rule on the 
> director, NOT on the router.  So I put this ruleset on the router:
> 
> $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 9001 -j DNAT --to 
> <director>
> $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 9002 -j DNAT --to 
> <director>
> $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 9003 -j DNAT --to 
> <director>
> 
> where <director> can be either the VIP or the DIP
> 
> 
> On the director I want to run the DNAT redirect:
> 
> $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 9001 -j DNAT --to 
> realserver1
> $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 9002 -j DNAT --to 
> realserver2
> $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 9003 -j DNAT --to 
> realserver3
> 
> Yet this is not working.  It does work if I move the last 3 rules onto the 
> router.  I am trying to figure out why and if there is a way to have the 
> director do the redirecting.
> 
> -- 
> Daniel O'Neill
> Systems Engineer
> djoneill@xxxxxxxxxxxxxxxxx
> 415.644.9600 ext. 238 tel.
> 415.644.0015 fax
> 
> _______________________________________________
> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://www.in-addr.de/mailman/listinfo/lvs-users

-- 
Daniel O'Neill
Systems Engineer
djoneill@xxxxxxxxxxxxxxxxx
415.644.9600 ext. 238 tel.
415.644.0015 fax


<Prev in Thread] Current Thread [Next in Thread>