Re: LVS, fwmarks and a port translation problem

To:	"LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject:	Re: LVS, fwmarks and a port translation problem
From:	Matthew Crocker <matthew@xxxxxxxxxxx>
Date:	Fri, 15 Aug 2003 08:58:23 -0400

Do I understand you correctly, that if one connects to VIP:80 and gets
assigned to a RIP1:51580 you want him to still connect to RIP1 but to
RIP1:51543 in case the application requires him to connect to VIP:443?
If so I also do not see an obvious way if doing it. I mean it wouldworkif the servers would redirect or listen to port 80, resp. port 443.Then
you could use persistent fwmark for a 80/443 VIP service tuple.


Where there is a will (and linux) there is a way.  Never give up hope.

I haven't done this but I know it can be made to work. LVS is not theonly tool in the toolbox so you'll need to use iptables

Step 1: NAT the destination port using ip tables, don't touch the destIP

iptables -t nat -A PREROUTING -s 0/0 -d 10.0.0.2 -m tcp -p tcp --dport80 -j DNAT --to-destination 10.0.0.2:50580iptables -t nat -A PREROUTING -s 0/0 -d 10.0.0.2 -m tcp -p tcp --dport443 -j DNAT --to-destination 10.0.0.2.505443iptables -t nat -A PREROUTING -s 0/0 -d 10.0.0.3 -m tcp -p tcp --dport80 -j DNAT --to-destination 10.0.0.3:50680iptables -t nat -A PREROUTING -s 0/0 -d 10.0.0.3 -m tcp -p tcp --dport443 -j DNAT --to-destination 10.0.0.3:506443

Step 2: mark the groups of packets (80 & 443) for each IP address intothe same fwmark

iptables -t mangle -A PREROUTING -s 0/0 -d 10.0.0.2 -j MARK --set-mark0x1iptables -t mangle -A PREROUTING -s 0/0 -d 10.0.0.3 -j MARK --set-mark0x2

Step 3: Load balance the fwmark packets with persistance to the realservers


ipvsadm -A -f 1 -s wlc -p 300
ipvsadm -a -f 1 -r 10.0.0.10:0 -m -w 100
ipvsadm -a -f 1 -r 10.0.0.11:0 -m -w 100

ipvsadm -A -f 2 -s wlc -p 300
ipvsadm -a -f 2 -r 10.0.0.10:0 -m -w 100
ipvsadm -a -f 2 -r 10.0.0.11:0 -m -w 100

I haven't looked at the packet flow so I don't know if step 1 or step 2happens first. Once you figure it out you could adjust the rule instep 2 and add a dest_port.

You could also skip step 2 and do regular IP based Load Balancing witha dest port of 0 (which means all ports).

Personally I like the fwmark option because the way mine is setupanything that isn't fwmarked get routed back out to the Internet. Itmake the machine look like it doesn't exist.


-Matt

<Prev in Thread]	Current Thread	[Next in Thread>
LVS, fwmarks and a port translation problem, Philip Hayward Re: LVS, fwmarks and a port translation problem, Matthew Crocker Re: LVS, fwmarks and a port translation problem, Horms Re: LVS, fwmarks and a port translation problem, Roberto Nibali RE: LVS, fwmarks and a port translation problem, Philip Hayward RE: LVS, fwmarks and a port translation problem, Philip Hayward Re: LVS, fwmarks and a port translation problem, Matthew Crocker <=

Previous by Date:	RE: LVS, fwmarks and a port translation problem, Philip Hayward
Next by Date:	java servlet, Kettler, Holger
Previous by Thread:	RE: LVS, fwmarks and a port translation problem, Philip Hayward
Next by Thread:	java servlet, Kettler, Holger
Indexes:	[Date] [Thread] [Top] [All Lists]