|
Is anyone using LVS + hearbeat + ldirectord + iptables with SNAT/DNAT?
I'm trying to allow "direct" access to the real servers via one public
IP separate from the virtual IP that would "bypass" LVS, and then the
load balanced virtual IP for LVS to load balance between the real
servers.
For example:
192.168.1.1 - LVS director #1
192.168.1.2 - LVS director #2
192.168.1.3 - "direct" IP for web1
192.168.1.4 - "direct" IP for web2
192.168.1.100 - load balanced IP for web1/web2
10.0.0.1 - LVS director #1 (internal)
10.0.0.2 - LVS director #2 (internal)
10.0.0.3 - internal IP for web1
10.0.0.4 - internal IP for web2
10.0.0.254 - load balanced default gateway IP for director1/director2
The direct system access works great, but I need an iptables rule to
handle the SNAT/DNAT exception of the load balanced IP.
I have rules like:
iptables -A nat PREROUTING -d 192.168.1.3 -I eth1 -j DNAT
--to-destination 10.0.0.3
and
iptables -A nat POSTROUTING -s 10.0.0.3 ! -d 10.0.0/24 -j SNAT
--to-source 192.168.1.3
But then, of course when I get a connection on 192.168.1.100, the
director sends the packets to the real server, the real server shoots
back its response, but the POSTROUTING rule rewrites the source to the
"direct" IP, 192.168.1.3 instead of the load balanced IP. I just haven't
figured out a simple way to change the SNAT address depending on the
source of the initial communication, the virtual IP.
It's probably just a simple iptables rule, but it's evading me....
TIA,
Ryan
--
Ryan Ordway Unix Systems Administrator
OSU Libraries E-mail: ryan.ordway@xxxxxxxxxxxxxxx
|
