|
Well, I'm using iptables on my director like a standard firewall, but I
have absolutely no rules for redirection.
Does this rules will be ok for me if I'm using iptables and Direct Routing ?
# allow ip forwarding (required), turn off on private (eth0) for security.
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/conf/eth0/forwarding
# rules for LVS to fix arp issues -- transparent proxy method (HORMS)
$IPTABLES -t nat -A PREROUTING -p tcp -d 216.187.127.122 --dport 80 -j REDIRECT
--to-port 80
$IPTABLES -t nat -A PREROUTING -p tcp -d 216.187.127.123 --dport 80 -j REDIRECT
--to-port 80
$IPTABLES -t nat -A PREROUTING -p tcp -d 216.187.127.124 --dport 80 -j REDIRECT
--to-port 80
$IPTABLES -t nat -A PREROUTING -p tcp -d 216.187.127.122 --dport 8080 -j
REDIRECT --to-port 8080
$IPTABLES -t nat -A PREROUTING -p tcp -d 216.187.127.123 --dport 8080 -j
REDIRECT --to-port 8080
$IPTABLES -t nat -A PREROUTING -p tcp -d 216.187.127.124 --dport 8080 -j
REDIRECT --to-port 8080
$IPTABLES -t nat -A PREROUTING -p tcp -d 216.187.127.130 --dport 25 -j REDIRECT
--to-port 25
$IPTABLES -t nat -A PREROUTING -p tcp -d 216.187.127.130 --dport 110 -j
REDIRECT --to-port 110
I thing I have to applied this rules only on the director....
Why $IPTABLES -t nat if I'm using direct routing ?
Thanks,
Cyrille.
ipvsadm output :
root@lb root]# ipvsadm
IP Virtual Server version 1.0.4 (size=65536)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 216.187.127.124:http wrr
-> gragra.privatedns.com:http Route 2 184 453
-> koon.privatedns.com:http Route 1 79 271
-> motti.privatedns.com:http Route 1 80 263
TCP 216.187.127.123:http-alt rr
-> gragra.privatedns.com:http-alt Route 1 0 0
-> koon.privatedns.com:http-alt Route 1 0 0
-> motti.privatedns.com:http-alt Route 1 0 0
TCP 216.187.127.122:http-alt rr
-> gragra.privatedns.com:http-alt Route 1 1 1
-> koon.privatedns.com:http-alt Route 1 0 1
-> motti.privatedns.com:http-alt Route 1 0 2
TCP 216.187.127.122:http wrr
-> gragra.privatedns.com:http Route 1 218 332
-> koon.privatedns.com:http Route 2 290 921
-> motti.privatedns.com:http Route 2 334 933
TCP 216.187.127.124:http-alt rr
-> gragra.privatedns.com:http-alt Route 1 0 0
-> motti.privatedns.com:http-alt Route 1 0 0
-> koon.privatedns.com:http-alt Route 1 0 0
TCP 216.187.127.123:http rr
-> gragra.privatedns.com:http Route 1 0 1
-> koon.privatedns.com:http Route 1 4 2
-> motti.privatedns.com:http Route 1 3 2
TCP 216.187.127.130:smtp rr
-> 192.168.6.18:smtp Route 1 0 0
-> 192.168.6.19:smtp Route 1 0 0
TCP 216.187.127.130:pop3 rr
-> 192.168.6.19:pop3 Route 1 0 0
-> 192.168.6.18:pop3 Route 1 0 0
So it's look like to the arp problem ?
Maybe. Here are firewall rules for ipchains and iptables that work for me.
You'll have to change port 80 to what you want.
# allow ip forwarding (required), turn off on private (eth0) for security.
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/conf/eth0/forwarding
# rules for LVS to fix arp issues -- transparent proxy method (HORMS)
$IPCHAINS -A input -j REDIRECT 80 -d $VIP 80 -p tcp
or iptables
$IPTABLES -t nat -A PREROUTING -p tcp -d $VIP --dport 80 -j REDIRECT
--to-port 80
What are you using right now to redirect traffic from the VIP to the
application? I think as long as you place these rules before any accept
statements you should be able to test it out without changing that around.
P
_______________________________________________
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://www.in-addr.de/mailman/listinfo/lvs-users
|
