|
Hiya,
Thanks for the reply :)
I`ll see how it goes, the transparent proxy looks a good plan.
Re,
Al.
On Thu, 2003-10-16 at 18:32, Horms wrote:
> On Thu, Oct 16, 2003 at 06:02:39PM +1000, Alan Knipmeyer wrote:
> > Hiya,
> >
> > Thanks for the link. I gave it a try, and done a test with telnet to
> > start with, in this case re-writing port 2300 to port 23. I tested lvs
> > with port 23 first on a different address to make sure the RIP was
> > working.
> >
> > When I done this with the fw mark method, packets arrive, but end up in
> > a SYN_RCVD mode.
> >
> > When dumping packets, the same packet is being retransmitted from the
> > VIP on the real server, but never reaching the host which launched the
> > connection. Is this because the tcp handshake is broken at the LVS
> > server ?
> >
> > Any advice gratefully received ! I can't believe I`m the only person
> > thats tried to do this :)
>
> I can.
>
> The simple answer is that it can be done. But no one has
> put in enough time to research the best way to do it
> and make the information available.
>
> Port translation is something that has never been particularly
> well supported in LVS. Partly because it is a bit of a chore.
> Partly because in some cases (e.g. LVS-DR) it can't work.
> Partly because not many people seem to need it. And partly
> because there is no obvious way to configure it using the
> current ipvsadm framework.
>
> I would suspect the problem that you are coming up against in realtion
> to using DNAT is the old problem relating to netfilter's connection
> tracking code not working in conjunction with LVS.
>
> Perhaps this code can help. It seems to use its own connection tracking
> code.
>
> http://www.balabit.com/products/oss/tproxy/README.txt
>
> Or perhaps using the antifacto patch which should be in
> the list archive somewhere..
--
aknipmeyer@xxxxxxxxxxxxx | Systems Architect
Level 5/388 Lonsdale Street,Melbourne,Victoria, 3000
Australia Phone 03 9648 2200 Fax 03 9648 2244
|
