LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: Unable to forward packets

To: "LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: Unable to forward packets
From: "Bill Omer" <bill.omer@xxxxxxxxx>
Date: Wed, 1 Mar 2006 13:16:42 -0800
On 2/26/06, Joseph Mack NA3T <jmack@xxxxxxxx> wrote:
> On Sun, 26 Feb 2006, Bill Omer wrote:
>
> >> It may be working, but this isn't the way to setup LVS-DR
> >
> > Is there a problem with this approach?
>
> well I don't know how it's working, and it's not the normal
> way, so when you ask a question on the mailing list you're
> going to have to explain the whole thing each time. Since I
> don't understand how it's working, I won't be able to reply.
>
> In general simple is better, and you normally don't need
> iptables rules to set up LVS-DR (Ockham said something like
> "plurality should not be posited in place of parsimony" - or
> he would have if he'd spoken modern English).
>
> It's possible you've figured out something that people
> haven't realised and that is always good. You never know
> when someone could find something else useful to do with it.
> Can you draw/list the packet flow as they go from client
> back to client through the machines and your rules? If it's
> already known, then you can come up and say "I'm using the X
> setup". If it's not known, then I'll put it in the HOWTO and
> it will be known as the Omer setup.
>
> Joe

Well to be honest, I'm not 100% sure *how* this is working either.  
The -j REDIRECT confuses me, but basically its going to masq the
connection if it's dest is (or was) the vip.

I found something very simlar somewhere in the docs but using
ipchains.  If i remember right, I also saw a  non-working iptables
option as well.   I was able to change the rule around a little bit to
get it to work for my setup.  If you notice in my setup I'm using port
0 in lvs, and ports 0-65535 in my iptables config.  This lets me
access every service on my RIP's, which is what I need for the initial
rollout because allot of services will be remote X sessions.

However, this is turning out to be by far the simplest and fastest
method of getting a RIP to answer requests to/from the VIP.  I'm able
to now to deploy a new RIP in seconds, without bounding a new IP, no
iproute2 (so nothing is hidden) etc..

-Bill

<Prev in Thread] Current Thread [Next in Thread>
  • Re: Unable to forward packets, Bill Omer <=