Re: problem moving LVS NAT cluster to iptables

To:	"LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject:	Re: problem moving LVS NAT cluster to iptables - solved?
From:	Alois Treindl <alois@xxxxxxxx>
Date:	Tue, 18 May 2004 15:11:06 +0200 (CEST)

On Tue, 18 May 2004, Joseph Mack wrote:

> Alois Treindl wrote:
> 
> 
> Hi Alois, 
>       Nice to hear from you again. Why did you go break your working 
> 2.2 setup :-)

Hi Joe, yes, I am back to this mailing list after nearly three years
on uninterrupted LVS performance. I had to boot the 'director' exactly 
twice in this years, once because we moved from one provider to the other, 
and the other because the power line was switched.

This can really be called relibale operation!

Now we have to update the kernel 2.2 box, because it was running on a 
Redhat 7.0 box, and Redhat has since terminated
support for any release <= 9.0

We have moved all company servers to Redhat RHEL 3, or to a free clone
of it, which uses the 2.4 kernel. 

This forces me to give up kernel 2.2 - I need reliable security patches,
and I want to run as unified a system on all boxes as possible.

It has good things, too - LVS is already 
builtin with the Redhat kernel, and is 'supported'.

> With 2.4 you don't have to write any iptables rules for the basic LVS-NAT
> functionality (setting up the masquerading and the de-masquerading). With
> 2.2 you had to set up the masquerading direction. 

Yes, I finally gathered that from your LVS HOWTO section 15.6

My error was that I did not understand the various chains and tables of 
'iptables' and did not realize that I also need to define rules for the 
FORWARD chain, not just the INPUT chain, because this is where the LVS
packages go through and are filtered in. the missing rule for the FORWARD 
chain stopped my packets to get back through the director to the client.

I have since read the 'Iptables Tutorial' and understand a bit more about 
this setup.

This excellent tutorial has a good description of the various steps
how packets are handled.

What is missing there is a comment about how LVS interacts with it, i.e.
in which steps exactly LVS is done.

If you can point me to info regardig the interaction between ipvs-handling 
of packets and iptables/netfilter handling of packets, it would be 
helpful.

The integration of both iptables-firewalling and LVS-NAT into a single box 
is probably not a rare situation, and careful consideration of filtering 
rules is necessary, both for the state when LVS is down and up.

Alois

<Prev in Thread]	Current Thread	[Next in Thread>
problem moning LVS NAT cluster from ipchains to iptables, Alois Treindl Re: problem moning LVS NAT cluster from ipchains to iptables - typo, Alois Treindl Re: problem moning LVS NAT cluster from ipchains to iptables - typo2, Alois Treindl Re: problem moving LVS NAT cluster to iptables - solved?, Alois Treindl Re: problem moving LVS NAT cluster to iptables - solved?, Joseph Mack Re: problem moving LVS NAT cluster to iptables - solved?, Alois Treindl <= Re: problem moving LVS NAT cluster to iptables - solved?, Joseph Mack Re: problem moving LVS NAT cluster to iptables - solved?, Alois Treindl Re: problem moving LVS NAT cluster to iptables - solved?, Joseph Mack Re: problem moving LVS NAT cluster to iptables - solved?, Horms Re: problem moving LVS NAT cluster to iptables - solved?, Alois Treindl Re: problem moving LVS NAT cluster to iptables - solved?, Horms updated HOWTO - firewall on director, Joseph Mack

Previous by Date:	Re: LVS and dynamic routing, Joseph Mack
Next by Date:	Re: problem moving LVS NAT cluster to iptables - solved?, Joseph Mack
Previous by Thread:	Re: problem moving LVS NAT cluster to iptables - solved?, Joseph Mack
Next by Thread:	Re: problem moving LVS NAT cluster to iptables - solved?, Joseph Mack
Indexes:	[Date] [Thread] [Top] [All Lists]

Re: problem moving LVS NAT cluster to iptables - solved?