|
Joseph Mack PhD, High Performance Computing & Scientific Visualisation
LMIT, Supporting the EPA Research Triangle Park, NC 919-541-0007 Federal
Infrastructure Contact-Ravi Nair 919-541-5467 - nair.ravi@xxxxxxx,
Federal Visualization Contact - Joe Retzer, Ph.D. 919-541-4190 -
retzer.joseph@xxxxxxx
lvs-users-bounces@xxxxxxxxxxxxxxxxxxxxxx wrote on 06/02/2005 05:50:16
AM:
> Hi,
>
> I have a Netfilter fw (2.6.11) with 4 network
> attached: 3 public
> network and 1 Nat-ed one.
>
> I would like to setup a webfarm with lvs-nat and keepalived
> Only the TCP/80 port will be Nated, all the other
> port/services will not
> be nated and thus not be accessible.
>
> I was wondering what is the incompatibility between
> netfilter and lvs ?
it's a long story. I assume you've read the HOWTO
> Do I really need the antefacto patch ?
not any more. I take it that this is not clear from
the HOWTO.
> What the antefacto patch is for ? (what does not work without it)
LVS changes the path of packets through the netfilter diagram
and conntrack doesn't know about the LVS controlled packets.
The return packets for LVS-DR and LVS-Tun don't go through
the director, so to keep conntrack happy, the LVS code has
to fake their return.
> I have an other question:
> I would like to setup redondancy via vrrp (from keepalived)
> What rules do I have to add to my ruleset ?
er none (on what machine?).
> What do vrrp need to pass through the network and on which
> interface ?
None, but I hadn't thought about this. We need Alexandre -
he hangs out on the keepalived mailing list - I don't
know how much he follows the LVS mailing list.
Hey Alexandre,
What's this all about? Do you use the port "vrrp"?
How much communication is vrrpd doing with machines other
than the dirctors? Enquiring minds want to know.
Joe
> I found this rules on the internet:
>
> run_iptables -A INPUT -s <ip of the fw:eth0> -i eth0 -p
> vrrp -j ACCEPT
> run_iptables -A OUTPUT -d <ip of the fw:eth0> -o eth0 -p
> vrrp -j ACCEPT
> run_iptables -D INPUT -s <ip of the fw:eth0> -i eth0 -p
> vrrp -j ACCEPT
> run_iptables -D OUTPUT -d <ip of the fw:eth0> -o eth0 -p
> vrrp -j ACCEPT
>
> is it enought ? (all trafic are prohibited by default on this fw)
> eth0 is the interface which is specified in the
> vrrp_instance section of
> the keepalived.conf file.
>
> does vrrp work on VLAN on bonding ?
>
> thanks for your help
>
> --
> Maxime Kurkdjian - Consultant
> 13, rue Greneta 75003 Paris
> tel: 01 44 78 63 66 - fax: 01 44 78 63 65
> http://www.oxalide.com
> _______________________________________________
> LinuxVirtualServer.org mailing list - lvs-
> users@xxxxxxxxxxxxxxxxxxxxxx
> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://www.in-addr.de/mailman/listinfo/lvs-users
|
