LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

RE: LVS-NAT + SNAT is it impossible?

To: "'LinuxVirtualServer.org users mailing list.'" <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: RE: LVS-NAT + SNAT is it impossible?
From: "Chris Newland" <chrisn@xxxxxxxxxx>
Date: Tue, 11 Jul 2006 16:58:23 +0100
Hi Paulo,

I use LVS-NAT and SNAT by using the following iptales rule:

iptables -t nat -A POSTROUTING \
-s 10.0.0.0/255.255.255.0 -o eth0 \
-j SNAT \
--to-source x.x.x.x <public IP of your director>

My realservers only have non-routable IP addresses (10.0.0.*)

The realservers can all connect to servers on the internet and when they do,
the IP source address is that of the director.

Is this what you are looking for?

Regards,

Chris 

-----Original Message-----
From: lvs-users-bounces@xxxxxxxxxxxxxxxxxxxxxx
[mailto:lvs-users-bounces@xxxxxxxxxxxxxxxxxxxxxx] On Behalf Of Paulo F.
Andrade
Sent: 11 July 2006 15:55
To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject: LVS-NAT + SNAT is it impossible?

Hi,

I'm currently testing some solution on load balancing servers on a  
different network than the directors.
The obvious solution would be to use LVS-TUN, but I can't change the  
routes on the router in the real servers network to accept packets  
with source VIP. A solution to this would be to tunnel back the  
packets to the director, but then I have the martian packets problem...

No wanting to path the kernel, I came up with this solution:
- put secondary addresses of type 192.168.0.xxx on the real servers.
- use LVS-NAT to balance connections to those ip addresses
- construct a two way tunnel (using iproute2) based on the  
destination ip addresses

Surprisingly this works, but it's a little to complex for my liking :)

A better and simpler solution would be to use LVS-NAT and then SNAT  
in the POSTROUTING, but according to numerous sources (LVS HOWTO,  
this mailling lists archive...) this is not possible because LVS- 
NAT'ed packets don't traverse the POSTROUTING chain.

Is it impossible to SNAT packets in an LVS-NAT setup?

PS: I also found this on the LVS HOWTO (http://www.austintek.com/LVS/ 
LVS-HOWTO/HOWTO/LVS-HOWTO.LVS-NAT.html#lvs_net_extending):

"Tao Zhao taozhao (at) cs (dot) nyu (dot) edu 01 May 2002 LVS-NAT  
assumes that all servers are behind the director, so the director  
only need to change the destination IP when a request comes in and  
forward that to the scheduled realserver. When the reply packets go  
through the director it will change the source IP. This limits the  
deployment of LVS using NAT: the director must be the outgoing  
gateway for all servers.
I am wondering if I can change the code so that both source and  
destinamtion IPs are changed in both ways. For example, CIP: client  
IP; DIP: director IP; SIP: server IP (public IPs);

Client->Director->Server: address pair (CIP, DIP) is changed to (DIP,  
SIP)
Server->Director->Client: address pair (SIP, DIP) is changed to (DIP,  
CIP).


Lars

Not very efficient; but this can actually already be done by using  
the port-forwarding feature AFAIK, or by a userspace application  
level gateway. "

How does port forwarding enables me to do this? And userspace  
application is he talking about?

Thank you for your time and sorry for the long e-mail!

Paulo F. Andrade 52439@IST
mailto: pfca@xxxxxxxxxxxxxxx






<Prev in Thread] Current Thread [Next in Thread>