|
On Thu, 2004-02-05 at 10:18, Joseph Mack wrote:
> (it's written for ipchains, but you can figure out the iptables commands)
Here's a script snippet that works for me. This allows the real servers
to initiate NAT connection through the director. In addition, it
actually fixes a more serious problem I encountered when running
multiple VIPs on a director.
The problem I had was the "dev" real server wouldn't stay locked to the
"dev" VIP. It kept reverting to the "prod" VIP after 2-3 http
connections from a client. A client would connect to the "dev" VIP and
get a response from the "prod" VIP. Yikes! The workaround was to lock
a real server to a VIP with SNAT and the --to-source option.
----------
external_prod=<ip address here>
external_dev=<ip address here>
extif=eth0
intif=eth1
nodes_prod="192.168.2.10 192.168.2.11 192.168.2.12 192.168.2.13"
nodes_dev="192.168.2.2"
IPT=/sbin/iptables
$IPT -F FORWARD
$IPT -P FORWARD DROP
$IPT -F -t nat
# production address
$IPT -A FORWARD -i $extif -o $intif -d $external_prod/32 -p tcp -j ACCEP
T
for host in $nodes_prod; do
$IPT -A FORWARD -i $intif -s $host/32 -o $extif -j ACCEPT
$IPT -t nat -A POSTROUTING -s $host/32 -o $extif -j SNAT --to-so
urce $external_prod
done
# development address
$IPT -A FORWARD -i $extif -o $intif -d $external_dev/32 -p tcp -j ACCEPT
for host in $nodes_dev; do
$IPT -A FORWARD -i $intif -s $host/32 -o $extif -j ACCEPT
$IPT -t nat -A POSTROUTING -s $host/32 -o $extif -j SNAT --to-so
urce $external_dev
done
# allow conntracked traffic
$IPT -A FORWARD -i $extif -o $intif -m state --state ESTABLISHED,RELATED
-j ACCEPT
|
