|
* Horms (horms@xxxxxxxxxxxx) [021016 07:15]:
> On Wed, Oct 02, 2002 at 05:04:07PM -0700, Tim Lynch wrote:
> >
> > also instead of monkeying (haha) around with the loopback interface on the
> > real servers, i used this on the real servers to get them to accept the
> > virtual ip:
> > iptables -t nat -A PREROUTING -d virtualip -j REDIRECT
>
> Personally I like that method of doing things too (after all, someone
> who is not me named it Horms' method :). However, it doesn't always work
> as the source address of reply packets may be set to the IP address of
> the interface that the packet was sent out of, rather than virtualip.
> Clearly this is not good.
>
> This behaviour seems to be consistent across the 2.4 kernels. However,
> while playing around with red hat (read heavily patched) kernels
> recently, I noticed that the iptables REDIRECT behaviour was the reverse
> of what I described above. That is the replay packets had the source IP
> address set as virtualip.
>
> I didn't investigate this thorougly, but I suspect that Red Hat is
> adding a patch to give this behaviour - which was the way things worked
> in 2.2 kernels.
>
> If someone has isolated this patch it would be a good addition
> to the linuxvirtualserver.org web page.
We've been experimenting with:
iptables -t nat -A PREROUTING -d virtualip -j REDIRECT
-AND-
iptables -t nat -A POSTROUTING -s realserverip \
-d !virtualipnet/virtualipnetbits -j SNAT --to-source virtualip
which seems to override the undesirable kernel behavior ( we use
keepalived monitoring on the virtualipnet, so we needed to ensure
that the SNAT didn't apply to local network requests ).
Am I deluding myself thinking that this works?
-Brad
|
