LVS
lvs-users
[Top] [All Lists]
Google
 
Web LinuxVirtualServer.org
<prev [Date] next> <prev [Thread] next>

Re: Lvs and Trans-Proxy

from [Joseph Mack NA3T] [Permanent Link]
To: "LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: Lvs and Trans-Proxy
Cc: Horms <horms@xxxxxxxxxxxx>
From: Joseph Mack NA3T <jmack@xxxxxxxx>
Date: Thu, 23 Jun 2005 13:48:11 -0700 (PDT) 
On Fri, 24 Jun 2005, Bikrant Neupane wrote:


what is the route on the director for packets to the RIP?


As I said earlier  Director, Real Server and Client are on same subnet.


doesn't mean the routing is right though.


Does the ciso have icmp redirects turned off?


I guess it is turned off by default. I haven't touched it.


I would hope they're on.


Before you can mark the packets you need someway for the director to
accept packets to 0/0:80. The REDIRECT method doesn't work anymore. Have a
look at this untested method.


I think packets are accepted by the director otherwise there would have been
no hit to the Mangle rule at all.


sounds good, but something is wrong...


http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-HOWTO.transparent_proxy.htm
l#tp_redirect

I thought TPROXY target was the solution. I downloaded 2.6.10 kernel,
iptables source and tpoxy patch and rebuild the kernel and iptables.
I applied this rule:

iptables -t tproxy -A PREROUTING -j TPROXY -p tcp --dport 80 --on-port 80
and iptables -t tproxy -A PREROUTING -j TPROXY -p tcp  --on-port 80

I can see hit on these rules but having or not having tproxy rule is same. I
could not see any difference at all in the way the director is working.
May be you can suggest me more on using TPROXY target if I am not using it
right way!!


Horms any ideas?


# iptables -nL -t tproxy -v
Chain PREROUTING (policy ACCEPT 1331 packets, 133K bytes)
pkts bytes target     prot opt in     out     source
destination
  33  1584 TPROXY     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0           [8 bytes of unknown target data]

Chain OUTPUT (policy ACCEPT 3 packets, 216 bytes)
pkts bytes target     prot opt in     out     source
destination




Julian's way of handling this (see his comment on 7 Jul 2002) is at



http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-HOWTO.routing_to_VIP-less_d
irector.html#routing_and_delivery


You should be able to run his two line command. It's black magic to me.


My topology is quite simple. If the director modifies only the dst-mac in
LVS-DR mode then it should have worked without a trouble since all the hosts
are on same broadcast n/w.


you have to get the packets accepted by the director. I don't know how
it's working in your setup.


Anyways, I will be trying it again with RedHat 6.2 with 2.2.x kernel. Can i
keep my above topology for 2.2.x kernel?
yes. If you only change the director to 2.2 you can keep solution for the arp problem that you already have for the director. 


thanks to every body :)


thanks for your persistence.

Joe
--
Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) wm7d (dot) net - azimuthal equidistant map
generator at http://www.wm7d.net/azproj.shtml Homepage http://www.austintek.com/ It's GNU/Linux!
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Lvs and Trans-Proxy, Bikrant Neupane
Next by Date:  Re: Does conntrack information survive LVS-NAT?, Nelson Castillo
Previous by Thread:  Re: Lvs and Trans-Proxy, Bikrant Neupane
Next by Thread:  Re: Lvs and Trans-Proxy, Con Tassios
Indexes:  [Date] [Thread] [Top] [All Lists]