|
On Fri, 2006-05-19 at 04:47 -0700, Joseph Mack NA3T wrote:
> On Thu, 18 May 2006, John Oliver wrote:
>
> > I'm looking to implement an LVS solution into an existing network with
> > zero downtime.
>
> hmm, I see.
>
> > Yes, it's messy. But I need to do something like this because there's a
> > lot more going on on this network than just the stuff I want behind an
> > LVS. I can't help but think, though, that traffic returning from the
> > realservers would have the source IP of eth0 instead of eth0:1
>
Actually you can use iptables to push packets from certain realservers
out certain IP's. Here is my ipvs_firewall startup script I wrote. This
script also allows your real servers to connect to the outsite world
through the LVS server. This is a SuSe start script so will need to be a
little modified to work with RedHat, etc.
/etc/init.d/ipvs_firewall
#! /bin/sh
#
# This script will configure IPTables to allow real servers access to
the outsite world.
# It also allows real server outbound IP redirection.
#
# By Brad Dameron <brad@xxxxxxxxxx> SeaTab Software Inc. - 02/05/2006
#
### BEGIN INIT INFO
# Provides: IPVS Firewall Rules
# Required-Start: $local_fs $network boot.localnet
# Required-Stop:
# Default-Start: 3 5
# Default-Stop: 0 1 2 6
# Description: Configure IPTables for NAT
### END INIT INFO
# Check for existence of needed config file and read it
IPVS_FIREWALL_CONFIG=/etc/sysconfig/ipvs_firewall
test -r $IPVS_FIREWALL_CONFIG || { echo "$IPVS_FIREWALL_CONFIG not
existing";
if [ "$1" = "stop" ]; then exit 0;
else exit 6; fi; }
# Read config
. $IPVS_FIREWALL_CONFIG
. /etc/rc.status
# Reset status of this service
rc_reset
case "$1" in
start)
echo " "
echo "Starting IPVS Firewall Rules "
echo "Turning on forwarding"
echo "1" > /proc/sys/net/ipv4/ip_forward
echo " External Interface: $EXTIF"
echo " Internal Interface: $INTIF"
echo " "
echo " External Network: $EXTNET"
echo " External IP Range: $EXTIPRANGE"
echo " External IP: $EXTIP"
echo " "
echo " Internal Network: $INTNET"
echo " Internal IP: $INTIP"
echo " "
echo " - Verifying that all kernel modules are ok"
/sbin/depmod -a
echo -en " Loading kernel modules: "
echo -e "ip_conntrack_ftp, "
if [ -z "` $LSMOD | $GREP ip_conntrack_ftp | $AWK {'print $1'}
`" ]; then
/sbin/modprobe ip_conntrack_ftp
fi
echo -e "ip_nat_ftp"
if [ -z "` $LSMOD | $GREP ip_nat_ftp | $AWK {'print $1'} `" ];
then
/sbin/modprobe ip_nat_ftp
fi
echo -e "ip_vs_ftp"
if [ -z "` $LSMOD | $GREP ip_vs_ftp | $AWK {'print $1'} `" ];
then
/sbin/modprobe ip_vs_ftp
fi
echo " "
echo " Clearing any existing rules and setting default policy
to DROP.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -F FORWARD
$IPTABLES -F -t nat
if [ -n "`$IPTABLES -L | $GREP drop-and-log-it`" ]; then
$IPTABLES -F drop-and-log-it
fi
$IPTABLES -X
$IPTABLES -Z
echo " Creating a DROP chain.."
$IPTABLES -N drop-and-log-it
$IPTABLES -A drop-and-log-it -j LOG --log-level info
$IPTABLES -A drop-and-log-it -j REJECT
echo -e "\n - Loading INPUT rulesets"
$IPTABLES -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j
drop-and-log-it
$IPTABLES -A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -d $EXTNET -j
ACCEPT
for d in $TCP_DROP_PORTS
do
$IPTABLES -A INPUT -i $EXTIF -p tcp -d $UNIVERSE --dport $d
-j drop-and-log-it
done
for d in $UDP_DROP_PORTS
do
$IPTABLES -A INPUT -i $EXTIF -p udp -d $UNIVERSE --dport $d
-j drop-and-log-it
done
echo -e " - Loading OUTPUT rulesets"
$IPTABLES -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j
drop-and-log-it
$IPTABLES -A OUTPUT -o $EXTIF -p udp -d $EXTBROADCAST --dport
513 -j DROP
echo -e " - Loading FORWARD rulesets"
echo " - FWD: Allow all connections OUT and only
existing/related IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -i lo -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j drop-and-log-it
echo " - NAT: Enabling SNAT (MASQUERADE) functionality on
$EXTIF"
i=1
count=${#NAT_IP_FORWARD[@]}
let "count = $count + 2"
while [ "$i" -lt "$count" ]
do
NAT_SOURCE=`echo ${NAT_IP_FORWARD[$i]} | $CUT -f1 -d:`
TO_SOURCE=`echo ${NAT_IP_FORWARD[$i]} | $CUT -f2 -d:`
if [ -z "$NAT_SOURCE" ]
then
let "i = $i + 1"
continue
fi
echo " - NAT: Setting $NAT_SOURCE to forward through IP
$TO_SOURCE"
$IPTABLES -t nat -A POSTROUTING -s $NAT_SOURCE -o $EXTIF -j
SNAT --to-source $TO_SOURCE
let "i = $i + 1"
done
#
# Add in all others to go to primary IP
#
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to-source
$EXTIP
echo " "
echo -n "Finalizing load "
# Remember status and be verbose
rc_status -v
;;
stop)
echo -n "Clearing IPVS Firewall Rules"
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -F FORWARD
$IPTABLES -F -t nat
if [ -n "`$IPTABLES -L | $GREP drop-and-log-it`" ]; then
$IPTABLES -F drop-and-log-it
fi
$IPTABLES -X
$IPTABLES -Z
# Remember status and be verbose
rc_status -v
;;
try-restart|condrestart)
## Do a restart only if the service was active before.
## Note: try-restart is now part of LSB (as of 1.9).
## RH has a similar command named condrestart.
if test "$1" = "condrestart"; then
echo "${attn} Use try-restart ${done}(LSB)${attn} rather
than condrestart ${warn}(RH)${norm}"
fi
$0 status
if test $? = 0; then
$0 restart
else
rc_reset # Not running is not a failure.
fi
# Remember status and be quiet
rc_status
;;
restart)
## Stop the service and regardless of whether it was
## running or not, start it again.
$0 stop
$0 start
# Remember status and be quiet
rc_status
;;
status)
echo " "
echo "Displaying IPVS Firewall Rules"
echo " "
$IPTABLES -L
$IPTABLES -L -t nat
echo " "
;;
*)
echo "Usage: $0 {start|stop|status|try-restart|restart}"
exit 1
;;
esac
rc_exit
-------------------------------------------------------------------------
/etc/sysconfig/ipvs_firewall
#
# Application paths
#
IPTABLES=/usr/sbin/iptables
LSMOD=/sbin/lsmod
GREP=/usr/bin/grep
AWK=/usr/bin/awk
CUT=/usr/bin/cut
#
#
# Interface information - External and Internal Inferfaces. + means to
# include all
#
EXTIF="eth0+"
INTIF="eth1+"
#
# External IP info - Enter primary external IP.
# RANGE is of format - Lowest external IP - Highest external IP
#
EXTIP="0.0.0.0"
EXTIPRANGE="0.0.0.0-0.0.0.0"
EXTNET="0.0.0.0/255.255.255.0"
EXTBROADCAST="0.0.0.0"
#
# Internal IP info
#
INTNET="192.168.1.0/24"
INTIP="192.168.1.1/24"
#
# Unallowed ports - Block these ports from everywhere
#
TCP_DROP_PORTS="23 25 37 123 111 512 513 514 2583 79"
UDP_DROP_PORTS="37 111 123 512 513 911 2049 4045 2583"
#
# Global Internet IP/Netmask
UNIVERSE="0.0.0.0/0"
#
#
# Internal NAT IP redirect - Format is <realserver>:<external ip>
#
NAT_IP_FORWARD[1]="192.168.1.71:0.0.0.0"
NAT_IP_FORWARD[2]="192.168.1.100:0.0.0.0"
NAT_IP_FORWARD[3]="192.168.1.120:0.0.0.0"
NAT_IP_FORWARD[4]="192.168.1.154:0.0.0.0"
NAT_IP_FORWARD[5]="192.168.1.140:0.0.0.0"
NAT_IP_FORWARD[6]=""
NAT_IP_FORWARD[7]=""
NAT_IP_FORWARD[8]=""
NAT_IP_FORWARD[9]=""
NAT_IP_FORWARD[10]=""
Hope this helps.
Brad Dameron
SeaTab Software
www.seatab.com
|
