|
Christian Bronk wrote:
> Hi,
Hallo Christian
> the "normal" Solution for your setup would be LVS-TUN, but i don´t know
> if HP-UX supports that.
> Perhaps you coult try rewrite your source-ip on you lvs-box.
>
> iptables -t nat -A POSTROUTING -p tcp -d 10.10.3.32/32:80 -j SNAT
> --to-source 10.10.2.10
Thanks for the advice, but unfortunately it's not working.
Seems like the POSTROUTING rule is not being processed when the packet is being
rerouted by ipvs.
iptables -t nat --list -n:
--->8--------------------------------------------------------------------------------
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
LOG tcp -- 0.0.0.0/0 10.10.3.0/24 tcp dpt:80 LOG
flags 0 level 4 prefix
`SNAT: '
SNAT tcp -- 0.0.0.0/0 10.10.3.0/24 tcp dpt:80
to:10.10.2.10
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
--->8--------------------------------------------------------------------------------
All I see with tcpdump is (on lvs1):
... IP 10.10.1.10.20188 > 10.10.2.10.80: S ...
... IP 10.10.1.10.20188 > 10.10.3.32.80: S ...
and on the firewall:
... IP 10.10.1.10.20188 > 10.10.1.1.80: S ...
... IP 10.10.1.10.20188 > 10.10.2.10.80: S ...
... IP 10.10.1.10.20188 > 10.10.3.32.80: S ...
(1) internet client (10.1.1.10) -> firewall (10.10.1.1)
(2) DNAT to the LVS cluster VIP (10.10.2.10)
(3) ipvs (LVS-NAT) rewrote the packet to redirect it to the realserver
(10.10.3.32)
And nothing in lvs1's iptables log either (although I've put a LOG rule in
there), so the redirected
packets are not going through POSTROUTING.
cheers
--
-o) Pascal Bleser ATOS Worldline/Aachen(DE)
/\\ System Architect WLP Business Platform
_\_v "Really, I'm not out to destroy Microsoft. That will
just be a completely unintentional side effect."-L.Torvalds
|
