LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

RE: LVS-NAT and packets originating from realserver

To: "LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: RE: LVS-NAT and packets originating from realserver
From: "Francois JEANMOUGIN" <Francois.JEANMOUGIN@xxxxxxxxxxxxxxxxx>
Date: Wed, 25 Aug 2004 18:21:38 +0200
C. R. Oldham :

> Joe :
> > Let's say you can figure out how to do this...
> >
> > The replies coming from the machine on the internet will have
> > dst_addr=VIP.
> > The director will see the packets and since they aren't part
> > of an established
> > connection, they will be dropped.
> 
> 
> You can do this with policy-based routing in the 2.6 series of kernels.
> On my Debian realservers I have this in the /etc/networks/interfaces
> file:


Well, well, I have a pretty more failsafe setup, finally. I just had time one
hour ago to try it. The answer is: "Just use SNAT" :

/sbin/iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to $VIP

It is pretty simple. The VIP does not have to be up on the system, the rule
stays there unemployed. In case of a director switch, even if vrrp add the
VIP as a secondary (or alias) interface, the outgoing packets will have the
VIP as the source address.

Tested and approved (my VIP is a secondary interface now again on the
directors). I think you can use several SNAT rules if you want to mix several
natted virtual_servers, using a -s (IIRC) option (that part I didn't test).

Joe, you can update the doc for the one (most of us) who are using iptables.

François.

P.S.: Not 2.6 official support for the hardware I use...
P.P.S.: Yes, I feel, the "--to" option confusing too.


Décharge / Disclaimer

Ce message et toutes les pièces jointes (ci-après le "message") sont 
confidentiels et établis à l'intention exclusive des destinataires. Toute 
utilisation ou diffusion non autorisée est interdite. Tout message électronique 
étant susceptible d'altération, 123Multimédia et ses filiales déclinent toute 
responsabilité au titre de ce message s'il a été altéré, déformé ou falsifié.

This message and any attachments (the "message") are confidential and intended 
solely for the addressees. Any unauthorised use or dissemination is prohibited. 
E-mails are susceptible to alteration. Therefore neither 123Multimédia nor any 
of its subsidiaries or affiliates shall be liable for the message if altered, 
changed or falsified.

<Prev in Thread] Current Thread [Next in Thread>