|
Hi Paulo,
I use LVS-NAT and SNAT by using the following iptales rule:
iptables -t nat -A POSTROUTING \
-s 10.0.0.0/255.255.255.0 -o eth0 \
-j SNAT \
--to-source x.x.x.x <public IP of your director>
My realservers only have non-routable IP addresses (10.0.0.*)
The realservers can all connect to servers on the internet and when they do,
the IP source address is that of the director.
Is this what you are looking for?
Regards,
Chris
-----Original Message-----
From: lvs-users-bounces@xxxxxxxxxxxxxxxxxxxxxx
[mailto:lvs-users-bounces@xxxxxxxxxxxxxxxxxxxxxx] On Behalf Of Paulo F.
Andrade
Sent: 11 July 2006 15:55
To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject: LVS-NAT + SNAT is it impossible?
Hi,
I'm currently testing some solution on load balancing servers on a
different network than the directors.
The obvious solution would be to use LVS-TUN, but I can't change the
routes on the router in the real servers network to accept packets
with source VIP. A solution to this would be to tunnel back the
packets to the director, but then I have the martian packets problem...
No wanting to path the kernel, I came up with this solution:
- put secondary addresses of type 192.168.0.xxx on the real servers.
- use LVS-NAT to balance connections to those ip addresses
- construct a two way tunnel (using iproute2) based on the
destination ip addresses
Surprisingly this works, but it's a little to complex for my liking :)
A better and simpler solution would be to use LVS-NAT and then SNAT
in the POSTROUTING, but according to numerous sources (LVS HOWTO,
this mailling lists archive...) this is not possible because LVS-
NAT'ed packets don't traverse the POSTROUTING chain.
Is it impossible to SNAT packets in an LVS-NAT setup?
PS: I also found this on the LVS HOWTO (http://www.austintek.com/LVS/
LVS-HOWTO/HOWTO/LVS-HOWTO.LVS-NAT.html#lvs_net_extending):
"Tao Zhao taozhao (at) cs (dot) nyu (dot) edu 01 May 2002 LVS-NAT
assumes that all servers are behind the director, so the director
only need to change the destination IP when a request comes in and
forward that to the scheduled realserver. When the reply packets go
through the director it will change the source IP. This limits the
deployment of LVS using NAT: the director must be the outgoing
gateway for all servers.
I am wondering if I can change the code so that both source and
destinamtion IPs are changed in both ways. For example, CIP: client
IP; DIP: director IP; SIP: server IP (public IPs);
Client->Director->Server: address pair (CIP, DIP) is changed to (DIP,
SIP)
Server->Director->Client: address pair (SIP, DIP) is changed to (DIP,
CIP).
Lars
Not very efficient; but this can actually already be done by using
the port-forwarding feature AFAIK, or by a userspace application
level gateway. "
How does port forwarding enables me to do this? And userspace
application is he talking about?
Thank you for your time and sorry for the long e-mail!
Paulo F. Andrade 52439@IST
mailto: pfca@xxxxxxxxxxxxxxx
|
