Bill Omer wrote:
Thanks for your response Bill.
Just to clarify a few points. You need the iptables magic with your setup
because you're using LVS-DR, but the DIP's and RIP's are not on the same
subnet, so it's not as simple as rewriting the MAC and leaving putting
the
packet on the wire?
If so, I'll get to work on upping my iptables foo.
Philip
Hi Philip
To clerify, in my setup the VIP, RIP and CIP are all on the same
subnet. When a packet comes in to the RIP, assuming the RIP is bound
to a Linux server, the OS will drop the packet if the DEST is not
equal to any IP address that are bound to any interfaces on the
server. There has to be configuration done on the real server in
order for the OS to accept that packet. This is one big difference
between a custom LVS solution vs using a Netscaler.
To do this, you need to use iptables to accept that traffic. See
section 17 on the LVS HOWTO
http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-HOWTO.transparent_proxy.html
-Bill
Hi,
I may be missing something - I have several LVS-DR setups (www, smtp, dns):
* Real servers are Linux 2.6 and Windows 2K/2K3.
* VIP and RIP are on the same subnet
* VIPs are added to the director as IP aliases, as usual.
* Real Servers have the VIP address on the loopback interface on
Linux and Windows, as usual.
* No special routes are added to the director or real servers.
* all machines have iptables turned completely off
* all machines use the (OpenBSD) firewall as the default router.
* Clients on the same subnet, other internal subnets and from outside the
firewall can access the LVS system, no problem.
Maybe you don't need to duplicate the same method that the Netscalar uses
in order to get a system to work for you, or am I missing something?
Rob
|