|
On Tue, May 18, 2004 at 10:24:11AM +0200, Alois Treindl wrote:
> Alois Treindl wrote:
> I had described my LVS NAT - firewall setup with iptables, see below.
>
> I think I solved the problem myself, in a long night.
>
> To get it to work, I had to add two iptables rules:
> ${IT} -t nat -A POSTROUTING -o eth1 -p tcp -s $W1 --sport 22 -d \
> $MY_NETWORK -j MASQUERADE
This rule is probably not required. A MASQURADE rule should only
be required for the real-servers to establish connections to
the outside world. In the case of the above you limit this
to connections with a source port of 22, which is unlikely to occur
in practice, so I don't think this rule is actually touching any
packets.
You can see how many packets and bytes a rule is effecting by running
iptables -t nat -L -v -n
iptables -L -v -n
And so on
> ${IT} -A FORWARD -o eth1 -j ACCEPT
This rule is required as in 2.4 return packets for LVS-NAT traverse
the FORWARD chain. That is, packets from port 22 on the real-server
to the end-user go through the FORWARD chain, so you need to let them
through. After any iptables FORWARD rules are processed, and assuming
the packet makes it through, LVS-NAT will then rewrite the packet
so that it has the VIP:Virtual_Port as the source IP address and port.
I have tried to illustrate this in the following diagram:
http://www.vergenet.net/~horms/tmp/nf-lvs.png
http://www.vergenet.net/~horms/tmp/nf-lvs.dia
To summarise. The path for incoming packets is:
PREROUTING -> LOCAL_IN -> POSTROUTING
And for outgoing packets, which means LVS-NAT:
PREROUTING -> FORWARD -> POSTROUTING
And for incoming ICMP
PREROUTING -> FORWARD -> POSTROUTING
Well, that is my understanding anyway.
--
Horms
|
