On 11/1/05, Horms <horms@xxxxxxxxxxxx> wrote:
>
> On Tue, Nov 01, 2005 at 07:57:57AM -0600, Brad Hudson wrote:
> > -----Original Message-----
> > From: lvs-users-bounces@xxxxxxxxxxxxxxxxxxxxxx
> > [mailto:lvs-users-bounces@xxxxxxxxxxxxxxxxxxxxxx] On Behalf Of Horms
> > Sent: Monday, October 31, 2005 9:27 PM
> > To: LinuxVirtualServer.org users mailing list.
> > Subject: Re: I need for setting up one to many ports
> >
> > On Mon, Oct 31, 2005 at 03:54:53PM -0600, Brad Hudson wrote:
> > > I have a situation where I need to have a single $vip:$port be masked
> to
> > > many ports on a backend server. Can someone help with this? Here is
> what I
> > > thought would work, but didn't:
> > > # $port = "XXXX";
> > > # iptables -A PREROUTING -t mangle -p tcp -s 0.0.0.0/0<http://0.0.0.0/0><
> http://0.0.0.0/0>
> > -d
> > > 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> --dport $port -j MASK
> --set-mask 1
> > > # ipvsadm -A -f 1 -s nq -p 600
> > > # ipvsadm -a -f 1 -r $backend_host -g -w 1
>
> [snip]
>
> > $cip = client ip
> > $vip = virtual ip
> > $vport = virtual port
> > $node = real server
> > * = any port
> >
> > Steps:
> > 1. $cip -> $vip:$vport -> $node:* (client connects to the virtual ip and
> > port and is routed to the real-server with persistence via whatever
> method
> > the client used to connect <ssh, http, telnet, etc.>)
> >
> > 2. $node:* -> $vip:$vport -> $cip (real-server then accepts the
> connection
> > <ssh, telnet, http, etc.> and does what it should then responds back
> through
> > the virtual ip and port back to the client)
> >
> > Does this help?
>
> Yes, the setup you have above should do just that, though you might
> want to tighten up the iptables rule slightly,
>
> iptables -A PREROUTING -t mangle -p tcp -d $vip -j MASK --set-mask 1
This does not work, even with correct syntax (<MARK --set-mark>, my fault
above). I must use the --dport option as I only have a single $vip and there
are other $vports configured (http, and a few private ports).
The following works for the web interface, but does not pass through the
dynamic ports (ActiveX application) when a user clicks on a launch button:
iptables -A PREROUTING -t mangle -p tcp -s 0.0.0.0/0 <http://0.0.0.0/0> -d
0.0.0.0/0 <http://0.0.0.0/0> --sport $vport -j TOS --set-tos
maximize-reliability
iptables -A PREROUTING -t mangle -p tcp -s 0.0.0.0/0 <http://0.0.0.0/0> -d
0.0.0.0/0 <http://0.0.0.0/0> --dport $vport -j TOS --set-tos
maximize-reliability
ipvsadm -A -t $vip:$vport -s nq -p 600
ipvsadm -a -t $vip:$vport -r $realserver:80 -m -w 1
Can anybody help with this one? Any experience getting ActiveX apps to pass
through IPVS and iptables?
First, drip the -s 0.0.0.0/0 <http://0.0.0.0/0>, its the default anyway
> Next, make -d the $vip, else spurious things might happen
> Last, I'm pretty sure you don~t want --dport, if you want any port to
> work.
>
> You probably also need the $vip on a local interface on the
> linux-director. And you need to configure the real-servers as
> per a normal LVS-DR setup (you specify -g, if you want LVS-NAT, use -m)
>
> If you have not done so already, I would suggest setting this up for a
> simple, IP based virtual service before using fwmarks. Just get a feel
> for how things work.
>
> ipvsadm -A -t $vip:$vport -s nq -p 600
> ipvsadm -a -$vip:$vport -r $backend_host:$vport -g -w 1
>
>
>
> --
> Horms
> _______________________________________________
> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://www.in-addr.de/mailman/listinfo/lvs-users
>
|