|
We want to configure a HA firewall with Direct Routing. It seems that no
connection tracking is taking place when using DR. We see packets going
from the outside to an inside server, but return packets are dropped on
the firewall by iptables.
Is there something magical one has to do, to get this working ?
Details
-------
linux-2.4.21
keepalived-1.1.1
ipvs-1.0.10
"antefacto" patch
"forward_shared" patch (forward_shared-2.4.19-2.diff)
Two firewalls (fw1 & fw2), outside en inside network (via vlans), an
internal server.
When using LVS/NAT things work fine (also state sync).
For LVS/DR we did:
- VIP: via keepalived bound on vlan_internal on fw[12]
- VIP: on lo0:1 on internal server (Sun machine)
When initiating connection from outside to inside_server, we see
1) SYN packet for VIP enters firewall via vlan_external
2) packet routed to internal_server via vlan_internal
3) SYN packet received on internal server, sends out SYN/ACK with
source = VIP.
4) SYN/ACK enters firewall via vlan_internal
5) packet is dropped by iptables on firewall
We would expect step 2) to create an entry in /proc/net/ip_conntrack.
ipvsadm does see the connection (ext_ip is ip address of external
machine)
# ipvsadm -L -c -n
IPVS connection entries
pro expire state source virtual destination
TCP 09:48 NONE ext_ip:0 VIP:22 RIP:22
TCP 00:57 SYN_RECV ext_ip:35158 VIP:22 RIP:22
Could someone please help me on this and tell me what is wrong/needs to
be changed.
Kris,
--
Kris Boulez (kris.boulez@xxxxxxxxxx)
|
