LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: Issues with braindead network topology and LVS-NAT

To: "LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: Issues with braindead network topology and LVS-NAT
From: Pascal Bleser <pascal.bleser@xxxxxxxxxxxxxx>
Date: Tue, 18 Oct 2005 10:55:01 +0200
Joseph Mack NA3T wrote:
> On Tue, 4 Oct 2005, Pascal Bleser wrote:
>> Now I use a simple TCP forwarder, rinetd.
> hadn't heard of this. Had a look on Boutell's page. For the HOWTO, how
> is this better than some iptables rules?

Hi Joe, sorry for the very late reply.

Well, the problem is that in my scenario, I have to rewrite the source _and_ 
the destination IP
address. Hence, TCP forwarding.
Obviously, I'm going to miss the real client IP in the access logs on the 
realservers but well...
not really a chance to circumvent that.
If the customer wants the original client IP in the logs or in the application, 
then they'll have to
change their network topology to something more... well... common sense ;)

I do have some experience with iptables and have set up some custom firewall 
scripts with it, but
I'm not aware of how I could actually rewrite both the source (SNAT) and 
destination (DNAT) addresses.

I could try, though, but the only way I can see as of now is to have both an 
SNAT and a DNAT rule,
the first in POSTROUTING, the latter in PREROUTING or OUTPUT.
I'll have to fiddle around with it but don't really have much more time to 
spend on that.. and the
docs are already written with rinetd ;)

Someone has a hint, maybe ?

Of course, having netfilter doing the redirection should perform much better 
than rinetd, but
performance is not _that_ critical in this case, rinetd should be sufficient.
And reconfiguring the DNAT netfilter rule from the Mon alert script isn't much 
harder than rewriting
/etc/rinetd.conf and SIGHUP'ing rinetd.

cheers
-- 
  -o) Pascal Bleser               ATOS Worldline/Aachen(DE)
  /\\   System Architect              WLP Business Platform
 _\_v "Really, I'm not out to destroy Microsoft.  That will
just be a completely unintentional side effect."-L.Torvalds

<Prev in Thread] Current Thread [Next in Thread>