Matt.Gregory@xxxxxxxxx wrote:
>
> Dr. Mack,
> You missed the second part of my email :-)
we've been through several iterations of this and I can't remember
which parts have been solved. I thought I'd get the basics down. sorry.
> While I can move the ip command and reconfigure, is this the best option?
it will depend on what else you're doing. The script is fairly simple minded
and assumes that the only thing running on the director/realservers is the LVS.
I realise this assumption fails if something else has filter rules etc running,
but until I get a lot of time to think of a scheme that will be compatible
with another unknown set of filter rules, this is what there is.
If you want to setup a bare bones LVS, with nothing fancy, then use the
shell scripts in the mini-HOWTO. The realservers will be fully exposed
to the internet then, and you can add your own rules for the vpn.
> I like the direct routing rules being used, and if I can modify them some
> to keep the routing the same except for firewall/vpn traffic, I would be
> happy.
>
> It looks like the 3-tier setup is indeed what I need to implement. I have
> read through the link you sent and I am trying to understand everything
> that is happening here. (I'm a java programmer by trade, not a network
> admin so this stuff is pretty knew to me.)
well I know nothing about java...
the 3-tier bit is if you have clients on the realservers that need to connect
to servers somewhere else. If you have servers listening on the RIP that
aren't a part of the LVS, and you want external clients to connect
directly to them, then my script will stop this (as a sercurity precaution).
> You say in the howto: "Here's a standalone version of the code in the
> configure script that marks the packets." Does that mean I need to modify
> this script for my config and...
> A) Replace the rc.lvs_dr configure script with the output
> B) This script *is* the replacement for the rc.lvs_dr script
> C) I'm all wrong and I need to be doing something else...
I think none-of-the-above. I wrote a shell script which marks the 3-tier
packets (packets from the RIP to the servers you're going to allow connections
to).
I just put this in as a subroutine in the configure script.
I haven't released the version of the configure script which does this
(it's 0.9.4). It works fine for one tester, another tester is still working
on it. I'm happy to send you this code if you like.
> > does your DR LVS work
>
> Yes, it works great. The problem is that I need to have a remote mon
> server monitor my realservers for DNS failover through a VPN tunnel.
just checking: some external machine is querying through a VPN the output of
monitors running on
the realservers? no,no, a monitor running on an external machine is doing DNS
queries through a VPN to the realservers?
so the realservers need to make DNS queries to external root-servers (or
whatever)?
this is a 3-tier situation: you allow the realservers to connect to 0/0:53
still you have to connect through the VPN. What ports are involved in the VPN?
> I
> have mon keeping track inside of the remote datacenter and fixing some
> problems, but if the network or firewall tanks the remote mon server will
> switch the ips in the alternate DNS for realtime failover to another
> datacenter. I can't monitor anything on the realservers through the VPN
> tunnel remotely unless I can reach the realservers via VPN/NAT from the
> firewall.
Also, It would be nice to be able to use CPAN from the
> realservers when I am doing updates,
you want to ftp to CPAN from the RIPs, this is a 3-tier situation: you allow
your realservers to connect to CPAN_server:20 CPAN_server:21
> I like to use Webmin for some of the
> common remote configuration, and to top it all off it's just a real pain to
> have to ssh into the director and the ssh into the realservers instead of
> being able to ssh directly to the realservers. I'm not really concerned
> about the security issue since all the servers are behind a secure firewall
> which is also monitoring network traffic for abuse.
hmm, you're going to have to do a whole lot of dismantling of the rules
that the configure script has set up.
For what you want it might just be easier to modify the shell scripts in
the mini-HOWTO. That will give you a completely open system.
Joe
--
Joseph Mack PhD, Senior Systems Engineer, Lockheed Martin
contractor to the National Environmental Supercomputer Center,
mailto:mack.joseph@xxxxxxx ph# 919-541-0007, RTP, NC, USA
|