Re: Lvs and Trans-Proxy

["Bikrant Neupane" <bikrant@xxxxxxxxxxxx>]

> On Fri, 24 Jun 2005, Bikrant Neupane wrote:
>
> > I think packets are accepted by the director otherwise there would have
been
> > no hit to the Mangle rule at all.
> > It is just that the director is not forwarding packet to the real server
> > when ip_forward = 0.
> > It does forward when ip_forward =1 but also modifies the destination ip.
>
> Don't know if this is relevant to your configuration, but with LVS-DR,
squid
> realservers, standard 2.4 kernel on directors, I've had to use the
following
> commands to make packets marked by fwmark 1 in the mangle table
(transparent
> HTTP proxy connections) visible to LVS, as mentioned somewhere in the
howto.
>
> ip rule add prio 100 fwmark 1 table 100
> ip route add local 0/0 dev lo table 100

Thank you so much.  This indeed worked for me. Now I can see Squid
Transparent-Proxy working the way I wanted.

I think TPROXY patch to kernel and iptables are not required at all.
This will be a good gift for my gf who is doing college project on LVS  :D

This is all what i did:


   <cisco router>
    202.79.xx.230
       |
       |-------------------------|-----------------------|
       |                         |                       |
       |                         |                       |
 eth0: 202.79.xx.240    fxp0 202.79.xx.241        202.79.xx.235
    <Director>           <real server >             <client>
    (gw: cisco)           (gw: cisco)              (gw: cisco)

>>>>
Director:
Gentoo Linux with 2.6.10 Kernel

ipvsadm -A -f 1 -s sh
ipvsadm -a -f 1 -r 202.79.xx.241:80

iptables -t mangle -A PREROUTING -p tcp --dport 80 -j MARK --set-mark 1

//magic commands for me
ip rule add prio 100 fwmark 1 table 100
ip route add local 0/0 dev lo table 100

echo 0 >  /proc/sys/net/ipv4/ip_forward

>>>>


  IP configurtion:

  Director:
  eth0: 202.79.xx.240 netmask 255.255.255.0
  default gw: 202.79.xx.230

  Real Server:
  eth0: 202.79.xx.241 netmask 255.255.255.0
  default gw: 202.79.xx.230

  Cisco Router:
 interface Ethernet0/0
 ip address 202.79.xx.230 255.255.255.0
 ip policy route-map proxy-redirect

access-list 110
     access-list 110 deny tcp host 202.79.xx.241 any eq 80
     access-list 110 permit tcp 202.79.xx.0 0.0.0.255 any eq 80

 route-map proxy-redirect permit 10
    match ip address 110
    set ip next-hop 202.79.xx.240


 # ipvsadm -lnc
IPVS connection entries
pro expire state                              source             virtual
destination
TCP 01:59  FIN_WAIT    202.79.xx.235:3512 64.236.16.246:80
202.79.xx.241:80
TCP 01:39  FIN_WAIT    202.79.xx.235:3508 66.163.171.129:80
202.79.xx.241:80
TCP 14:59  ESTABLISHED 202.79.xx.235:3514 205.188.165.249:80
202.79.xx.241:80
TCP 14:58  ESTABLISHED 202.79.xx.235:3515 205.188.165.249:80
202.79.xx.241:80
TCP 14:55  ESTABLISHED 202.79.xx.235:3511 64.236.24.4:80
202.79.xx.241:80
TCP 14:19  ESTABLISHED 202.79.xx.235:3503 64.41.192.102:80
202.79.xx.241:80
TCP 14:41  ESTABLISHED 202.79.xx.235:3509 66.163.171.129:80
202.79.xx.241:80
TCP 14:59  ESTABLISHED 202.79.xx.235:3513 64.236.16.246:80
202.79.xx.241:80


Bikrant
>
>
> _______________________________________________
> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://www.in-addr.de/mailman/listinfo/lvs-users
>
>
>
> --
> No virus found in this incoming message.
> Checked by AVG Anti-Virus.
> Version: 7.0.323 / Virus Database: 267.7.10/25 - Release Date: 6/21/2005
>
>