Re: internal/external network problems

[Ian Millsom <ian@xxxxxxxxxxxxxxxxxxxx>]

On Fri, 22 Nov 2002, Joseph Mack wrote:

> Ian Millsom wrote:
> 
> > I have a fully working operation lvs setup now, which works great, 
> 
> > but no-one physically works from the data center.
> 
> I don't know how this fits into the problem.

I was indicating that I have an operational LVS up and running thats all.

>  
> > The second is a mirror in the office. From the outside world, all is
> > working fine.
> > When I try and say load a website/ssh etc through the lvs server it just
>                                                         ^^^^^^^^^^ 
> 
> what is an "lvs server"?
> 
> http://www.linux-vs.org/Joseph.Mack/HOWTO/LVS-HOWTO.introduction.html#nomenclature


ACK! thanks.. read and now using your terms.. I mean Director
> 
> > times out.
> 
> If the IPs are important and you have multiple networks (internal/external),
> a diagram would be more helpful than a list of IPs. 
> You can swipe one of the diagrams in the HOWTO if you need a template.

As stated in the last email, from the internet, all works. Its not working 
from the local network 203.x.x.0/24

                 ______________________
                |                      |
                |       Internet       |
                |______________________|
                           |
                        ___|____
                       |        |
                       | ROUTER |
                       |________|     ________________
                           |         |                |
                        (switch)------ My workstation |
                           |         | CIP=203.x.x.9  |
                           |          ----------------
                       ____|_____
                      |          | DIP=203.x.x.30 (eth0)
                      | director | VIP=203.x.x.32 (eth0:0)
                      |__________| eth1 10.77.77.250
                           |       forwarding is enabled
                        (switch)   ipchains -P forward DENY
                           |       ipchains -A forward -s 10.77.77.0/24 -j MASQ
          ----------------------------------
          |                |               |
          |                |               |
          | RIP (eth0)     | RIP (eth0)    | RIP (eth0)
          | 10.77.77.1     | 10.77.77.2    | 10.77.77.3
     _____________   _____________   _____________
    |             | |             | |             |
    | realserver1 | | realserver2 | | realserver3 |
    |_____________| |_____________| |_____________|

> An LVS timing out could be several things.
> 
> I need more info.

Kernel 2.4.19 Patched with linux-2.4.19-ipvs-1.0.7.patch.gz (No errors)
ipvsadm-1.21-3.src.rpm rebuilt with new kernel
ipvsadm -v
ipvsadm v1.21 2002/11/12 (compiled with popt and IPVS v1.0.7)
uname -a
Linux director1.mydomain.com 2.4.19 #1 Fri Nov 22 17:42:58 EST 2002 i686 unknown

Kernel INFO
#
#   IP: Netfilter Configuration
#
CONFIG_IP_NF_CONNTRACK=m
CONFIG_IP_NF_FTP=m
CONFIG_IP_NF_IRC=m
CONFIG_IP_NF_QUEUE=m
CONFIG_IP_NF_IPTABLES=m
CONFIG_IP_NF_MATCH_LIMIT=m
CONFIG_IP_NF_MATCH_MAC=m
CONFIG_IP_NF_MATCH_MARK=m
CONFIG_IP_NF_MATCH_MULTIPORT=m
CONFIG_IP_NF_MATCH_TOS=m
CONFIG_IP_NF_MATCH_AH_ESP=m
CONFIG_IP_NF_MATCH_LENGTH=m
CONFIG_IP_NF_MATCH_TTL=m
CONFIG_IP_NF_MATCH_TCPMSS=m
CONFIG_IP_NF_MATCH_STATE=m
CONFIG_IP_NF_MATCH_UNCLEAN=m
CONFIG_IP_NF_MATCH_OWNER=m
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_TARGET_REJECT=m
CONFIG_IP_NF_TARGET_MIRROR=m
CONFIG_IP_NF_NAT=m
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=m
CONFIG_IP_NF_TARGET_REDIRECT=m
CONFIG_IP_NF_NAT_LOCAL=y
CONFIG_IP_NF_NAT_SNMP_BASIC=m
CONFIG_IP_NF_NAT_IRC=m
CONFIG_IP_NF_NAT_FTP=m
CONFIG_IP_NF_MANGLE=m
CONFIG_IP_NF_TARGET_TOS=m
CONFIG_IP_NF_TARGET_MARK=m
CONFIG_IP_NF_TARGET_LOG=m
CONFIG_IP_NF_TARGET_ULOG=m
CONFIG_IP_NF_TARGET_TCPMSS=m
CONFIG_IP_NF_ARPTABLES=m
CONFIG_IP_NF_ARPFILTER=m
CONFIG_IP_NF_COMPAT_IPCHAINS=m
CONFIG_IP_NF_NAT_NEEDED=y


#
#   IP: Virtual Server Configuration
#
CONFIG_IP_VS=y
CONFIG_IP_VS_DEBUG=y
CONFIG_IP_VS_TAB_BITS=18
CONFIG_IP_VS_RR=m
CONFIG_IP_VS_WRR=m
CONFIG_IP_VS_LC=m
CONFIG_IP_VS_WLC=m
CONFIG_IP_VS_LBLC=m
CONFIG_IP_VS_LBLCR=m
CONFIG_IP_VS_DH=m
CONFIG_IP_VS_SH=m
CONFIG_IP_VS_FTP=m


> What forwarding method are you using?

LVS-NAT

> What service(s) are you forwarding?

/sbin/ifconfig eth0:0 203.x.x.32 netmask 255.255.255.0
/sbin/ipvsadm -A -t 203.x.x.32:22 -s rr -p 5800 -M 255.255.255.0
/usr/sbin/nanny -c -h 10.77.77.1 -p 22 -a 15 -I /sbin/ipvsadm -t 6 -w 1 -V 
203.x.x.32 -M m -U rup
/usr/sbin/nanny -c -h 10.77.77.2 -p 22 -a 15 -I /sbin/ipvsadm -t 6 -w 1 -V 
203.x.x.32 -M m -U rup
/usr/sbin/nanny -c -h 10.77.77.3 -p 22 -a 15 -I /sbin/ipvsadm -t 6 -w 1 -V 
203.x.x.32 -M m -U rup

ipvsadm -L -n
IP Virtual Server version 1.0.7 (size=262144)
Prot LocalAddress:Port Scheduler Flags
  -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
TCP  203.x.x.32:22 rr persistent 5800 mask 255.255.255.0
  -> 10.77.77.3:22                Masq    1      0          0
  -> 10.77.77.2:22                Masq    1      0          0
  -> 10.77.77.1:22                Masq    1      0          0

Currently i'm only testing with ssh

I do a portscan from a remote network to the LVS and here is the results

Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ )
Interesting ports on drone1.satlink.com.au (203.x.x.32):
(The 1550 ports scanned but not shown below are in state: closed)
Port       State       Service
22/tcp     open        ssh

I do the same portscan from my workstation

Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ )
Interesting ports on drone1.satlink.com.au (203.x.x.32):
(The 1550 ports scanned but not shown below are in state: closed)
Port       State       Service
22/tcp     filtered    ssh

> What's the output of ipvsadm when the director is attempting
> to handle the connection?

The output is the same as above, except the InActConn is incremented by 1

> 
> Send a diagram of the connections and IPs.

As listed above.
If you require any more information, please let me know.

Regards

Ian Millsom

> 
> Joe
> 
>