Re: I need for setting up one to many ports

To:	"LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject:	Re: I need for setting up one to many ports
From:	Horms <horms@xxxxxxxxxxxx>
Date:	Wed, 2 Nov 2005 10:49:36 +0900

On Tue, Nov 01, 2005 at 07:57:57AM -0600, Brad Hudson wrote:
> -----Original Message-----
> From: lvs-users-bounces@xxxxxxxxxxxxxxxxxxxxxx
> [mailto:lvs-users-bounces@xxxxxxxxxxxxxxxxxxxxxx] On Behalf Of Horms
> Sent: Monday, October 31, 2005 9:27 PM
> To: LinuxVirtualServer.org users mailing list.
> Subject: Re: I need for setting up one to many ports
> 
> On Mon, Oct 31, 2005 at 03:54:53PM -0600, Brad Hudson wrote:
> > I have a situation where I need to have a single $vip:$port be masked to
> > many ports on a backend server. Can someone help with this? Here is what I
> > thought would work, but didn't:
> > # $port = "XXXX";
> > # iptables -A PREROUTING -t mangle -p tcp -s 0.0.0.0/0 <http://0.0.0.0/0>
> -d
> > 0.0.0.0/0 <http://0.0.0.0/0> --dport $port -j MASK --set-mask 1
> > # ipvsadm -A -f 1 -s nq -p 600
> > # ipvsadm -a -f 1 -r $backend_host -g -w 1

[snip]

> $cip = client ip
> $vip = virtual ip
> $vport = virtual port
> $node = real server
> * = any port
> 
> Steps:
> 1.  $cip -> $vip:$vport -> $node:* (client connects to the virtual ip and
> port and is routed to the real-server with persistence via whatever method
> the client used to connect <ssh, http, telnet, etc.>)
> 
> 2.  $node:* -> $vip:$vport -> $cip (real-server then accepts the connection
> <ssh, telnet, http, etc.> and does what it should then responds back through
> the virtual ip and port back to the client)
> 
> Does this help?

Yes, the setup you have above should do just that, though you might
want to tighten up the iptables rule slightly,

iptables -A PREROUTING -t mangle -p tcp -d $vip -j MASK --set-mask 1

First, drip the -s 0.0.0.0/0, its the default anyway
Next, make -d the $vip, else spurious things might happen
Last, I'm pretty sure you don~t want --dport, if you want any port to work.

You probably also need the $vip on a local interface on the
linux-director. And you need to configure the real-servers as
per a normal LVS-DR setup (you specify -g, if you want LVS-NAT, use -m)

If you have not done so already, I would suggest setting this up for a
simple, IP based virtual service before using fwmarks. Just get a feel
for how things work.

ipvsadm -A -t $vip:$vport -s nq -p 600
ipvsadm -a -$vip:$vport -r $backend_host:$vport -g -w 1



-- 
Horms

<Prev in Thread]	Current Thread	[Next in Thread>
I need for setting up one to many ports, Brad Hudson Re: I need for setting up one to many ports, Horms RE: I need for setting up one to many ports, Brad Hudson Re: I need for setting up one to many ports, Horms <= Re: I need for setting up one to many ports, Brad Hudson Re: I need for setting up one to many ports, Horms

Previous by Date:	Re: lvs_dr script for setting up nessus, Horms
Next by Date:	Re: Doxygen'd IPVS code, Horms
Previous by Thread:	RE: I need for setting up one to many ports, Brad Hudson
Next by Thread:	Re: I need for setting up one to many ports, Brad Hudson
Indexes:	[Date] [Thread] [Top] [All Lists]