Arnd wrote on 12/05/2006 20:00:04:
> Dominik Klein schrieb:
> >> 'ipvsadm -L -n' shows the following enrty:
> >> TCP <public_ip>:80 wlc
> >> -> 127.0.0.1:80 Local 1 0 0
> >> Doesn't this entry must show "masq" on the line with "127.0.0.1"
> >> instead of "Local"?
> > No. Local is fine.
> >> If the servers are up they are in the list with "-> 192.168.1.151
> >> 100 0 0". Do I need to set any iptable-rules (masquerading) for
> >> able to connect to the fallback-server from the internet?
> > Normally not. Do you have any other iptables rules on your director
> > may be blocking this?
> The iptables rules allow access to any internal server, port 80 and 443.
> Rules for the lo-device are all open:
> $IPT -t filter -A INPUT -p all -i lo -j ACCEPT
> $IPT -t filter -A OUTPUT -p all -o lo -j ACCEPT
> $IPT -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE
> I was not setting up the firewall rules so maybe I overlooked one rule.
> But a dropping firewal should throw away any syn-packets (drop) and
> while I'm receiving an "reset" it must be anything else.
> The tcp-packet arrives on the external interface but it is not
> redirected to the lo-interface. Is this not a director task?
I'm also experiencing the same problem with getting fallback on localhost
working. In the end I setup fallback on the VIP of the cluster and that
seems to work.
Fedora Core release 4
# Global Directives
ipvsadm -L -n:
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP a.b.c.d:80 lc
-> 127.0.0.1:80 Local 1 0 0
[root@lvs3 ~]# tcpdump -i eth1 host a.b.c.e
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
11:03:03.176753 IP a.b.c.e.50891 > a.b.c.d.http: S
2138124158:2138124158(0) win 5840 <mss 1460,sackOK,timestamp 213381628
11:03:03.176821 IP a.b.c.d > a.b.c.e: icmp 68: 126.96.36.199 tcp port http
iptables is configured to accept all to and from lo and to logdrop
everything else. Nothing appears in the firewall logs.
When I change the configuration as follows:
Then I get a working fallback server.
Is there something broken in the 2.6.15 kernel lvs maybe?