Re: Packets aren't returning to host

To:	"LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject:	Re: Packets aren't returning to host
From:	Marc Tardif <mtardif@xxxxxxxxxxx>
Date:	Mon, 25 Aug 2003 10:39:30 -0400

Horms wrote:

On Sun, Aug 24, 2003 at 04:20:19PM -0400, Marc Tardif wrote:
linux kernel 2.4.21
ipvs and ipvsadm installed from ipvs 1.0.10 tarball
I can get ip_vs to redirect incoming packets on port 80 to an internalbox, but I can't seem to return these packets to the calling host.Here's my network setup:
 external        gateway        internal
 --------        -------        --------
 192.168.0.68 -> 192.168.0.2
                 10.9.201.2  -> 10.9.201.225
The gateway has the following interfaces and filtering configuration(command outputs have been shortened):
 # ifconfig
 eth0 inet addr:10.9.201.2  Bcast:10.9.201.255  Mask:255.255.255.0
 eth1 inet addr:192.168.0.2  Bcast:192.168.0.255  Mask:255.255.255.0
 # ipvsadm -L
 TCP  192.168.0.2:http wlc
   -> 10.9.201.225:http     Masq    1      0          0
 # ipchains -L
 Chain forward (policy ACCEPT):
 target     prot opt     source                destination
 MASQ       all  ----l-  10.9.201.0/24        anywhere


The internal box has the gateway configured as a default gateway:

 # netstat -rn
 Kernel IP routing table
 Destination     Gateway         Genmask         Flags  Iface
 10.9.201.0      0.0.0.0         255.255.255.0   U       eth0
 192.168.0.0     10.9.201.2      255.255.255.0   UG      eth0
This is the tcpdump on the gateway generated by the external boxattempting to telnet to port 80 of the gateway:
15:34:21.737622 192.168.0.68.1071 > 10.9.201.225.http: S855275531:855275531(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)15:34:21.737927 10.9.201.225.http > 192.168.0.68.1071: S4039057286:4039057286(0) ack 855275532 win 5840 <mss1460,nop,nop,sackOK> (DF)15:34:24.651755 192.168.0.68.1071 > 10.9.201.225.http: S855275531:855275531(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)15:34:24.652003 10.9.201.225.http > 192.168.0.68.1071: S4039057286:4039057286(0) ack 855275532 win 5840 <mss1460,nop,nop,sackOK> (DF)15:34:24.728277 10.9.201.225.http > 192.168.0.68.1071: S4039057286:4039057286(0) ack 855275532 win 5840 <mss1460,nop,nop,sackOK> (DF)
Hi,

I take it that this tcpdump was taken on the internal interface
of the linux director (gateway). If so it looks like the packet
from the real server (external box) is being correctly sent to
the real server (internal box) and that the real server is in
turn replying correctly, It also seems that the Linux Director is
seeing the return packet, though without examining the MAC address
it is hard to confirm that it has been sent to the Linux Director.

I would suspect that the problem is that that the Linux Director
is not demasquerading and forwarding the return packets. Can you
confirm that the routing on the Linux Director is correct,
that probablyu means 10.9.201/24 being routed to the internal
interface and 0/0 or at least 192.168.0/24 being routed to theexternal interface.

Here's a tcpdump on the external interface of the Linux Director:

10:07:51.140679 192.168.0.68.1084 > 192.168.0.2.http: S352642595:352642595(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)10:07:54.066679 192.168.0.68.1084 > 192.168.0.2.http: S352642595:352642595(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)

That means the external box keeps trying to establish an http connectionbut is never receiving a response. Therefore, you are right that theLinux Director is not forwarding the return packets. You've asked me toconfirm the routing information but I'm not sure what to show you otherthan the ipchains configuration in my original message. Just in caseit's relevant, here's my routing table on the Linux Director:


  # netstat -rn
  Kernel IP routing table
  Destination    Gateway       Genmask         Flags  Iface
  10.9.201.0     0.0.0.0       255.255.255.0   U      eth0
  192.168.0.0    0.0.0.0       255.255.255.0   U      eth1
  127.0.0.0      0.0.0.0       255.0.0.0       U      lo
  0.0.0.0        10.9.201.7    0.0.0.0         UG     eth0

Running tcpdump on the external interface of the Linux Director
may shed some more light onto this problem.
Problem is, the external box hangs on the telnet and never seems to geta response via the gateway. Maybe the problem is that it's expecting ananswer from 192.168.0.2 whereas the tcpdump is showing a packet arrivingfrom 10.9.201.225. Can someone point me in the right direction? I'vefollowed the exact installation instructions on the virtual server website:
http://www.linuxvirtualserver.org/VS-NAT.html

More explicitly, I've run the following commands:

 # echo 1 > /proc/sys/net/ipv4/ip_forward
 # ipchains -l -A forward -j MASQ -s 10.9.201.0/24 -d 0.0.0.0/0
 # ipvsadm -A -t 192.168.0.2:80 -s wlc
 # ipvsadm -a -t 192.168.0.2:80 -r 10.9.201.225:80 -m


--
Marc Tardif
Sitepak
(514) 866-8883

<Prev in Thread]	Current Thread	[Next in Thread>
Packets aren't returning to host, Marc Tardif Re: Packets aren't returning to host, Andy Harding Re: Packets aren't returning to host, Horms Re: Packets aren't returning to host, Horms Re: Packets aren't returning to host, Marc Tardif <= Re: Packets aren't returning to host, Horms IDENT protocol and DR, Kjetil Torgrim Homme Re: IDENT protocol and DR, Horms Re: IDENT protocol and DR, Joseph Mack Re: IDENT protocol and DR, Kjetil Torgrim Homme Re: IDENT protocol and DR, Joseph Mack Re: IDENT protocol and DR, Kjetil Torgrim Homme Re: IDENT protocol and DR, Joseph Mack Re: IDENT protocol and DR, Kjetil Torgrim Homme Re: IDENT protocol and DR, Joseph Mack

Previous by Date:	Re: Module is wrong version, Horms
Next by Date:	Re: LVS-DR where Directors are also Realservers, ken
Previous by Thread:	Re: Packets aren't returning to host, Horms
Next by Thread:	Re: Packets aren't returning to host, Horms
Indexes:	[Date] [Thread] [Top] [All Lists]