|
I ran a few tcpdump commands and was able to determine that packets were
getting delivered to serverA. It was sending reply packets to clientB,
but directly to the 192.168.1.5, so clientB was dropping them. A friend
of mine ran some more extensive tcpdump tests and was able to determine
there was an issue with icmp redirects. So good call on that. Here's his
summary statement on the matter. I'll check out those two links you
posted. We've decided to move our JBoss server to a public interface,
but I might play around to see if I can get ssh to work like this with
the links you provided. If I can, I might try running the JBoss server
behind it again. Thanks.
<quote>
the solution will require something like this:
the lvs machine to do a sort of secondary nat.
- mangle nat as normal
- noticing a secondary mangle is required instead of an icmp
redirect when clientB connects to VIP on lvs.
- mangling SOURCE to the public ip and DESTINATION to the
real server, so the realserver will reply back to the public ip,
guaranteeing traffic will come back thru the lvs machine.
- once that happens, unmangle the return traffic so the
DESTINATION changes from teh public ip to clientB.
i played around a bit with the firewall in denver trying to make that
happen but was unsuccessful.
</quote>
Joseph Mack wrote:
Justin Georgeson wrote:
I guess I thought that's what I was doing with ssh.
ssh is fine (it's a one port service).
-A -t w.x.y.z:22 -s wlc -p 10360
-a -t w.x.y.z:22 -r 192.168.1.3:22 -m -w 1
-A -t w.x.y.z:4444 -s wlc -p 10360
-a -t w.x.y.z:4444 -r 192.168.1.3:4444 -m -w 1
-A -t w.x.y.z:1099 -s wlc -p 10360
-a -t w.x.y.z:1099 -r 192.168.1.3:1099 -m -w 1
-A -t w.x.y.z:8080 -s wlc -p 10360
-a -t w.x.y.z:8080 -r 192.168.1.3:8080 -m -w 1
Those are some of the rules I have in /etc/sysconfig/lvs. Runninb
ipvsadm -Ln shows they are in effect. If I try to ssh from a machine on
the 192.168.1.0/24 (192.168.1.5) subnet to w.x.y.z, I never get a login
prompt.
do the normal checks
o can you ping w.x.y.z
o look at the output of ipvsadm as you're attempting to connect
(do you get InActConn entries?)
- http://www.linuxvirtualserver.org/Joseph.Mack/HOWTO/LVS-HOWTO-32.html#ss32.3
o have you turned off icmp redirects
- http://www.linuxvirtualserver.org/Joseph.Mack/HOWTO/LVS-HOWTO-12.html#ss12.12
Joe
--
Justin Georgeson
UnBound Technologies, Inc.
http://www.unboundtech.com
Main 713.329.9330
Fax 713.460.4051
Mobile 512.789.1962
5295 Hollister Road
Houston, TX 77040
Real Applications using Real Wireless Intelligence(tm)
|
