On Tue, 22 May 2007, Shaun Mccullagh wrote:
KL is in location A, RS1 in location B and RS2 in location C.
KL == client?, keepalived?
All these locations are geographically separate and all systems have
public IPs.
for production, for security, you don't want the anyone to
access the realservers directly - use private IPs.
The problem is both Real Servers are running Windows 2003 Server.
Windows 2003 does not support IPIP encapsulation, Win2k used to.
However both Windows servers sit behind Linux Firewalls which do support
IPIP. So wondered if I could use the firewalls to decapsulate the IPIP
datagrams and the forward them to the RS.
I don't know how to do it, but Linux is supposed to be able
to do this sort of thing. You're going to have to find an
iptables master. Maybe someone on this list knows, but
otherwise, you might have to join another mailing list for
the answer. After decapsulation on the firewall, you'll have
a packet with dest_addr==VIP in local_in and you'll have to
forward it to the output chain.
I've succeeded in getting one tunnel operational. The KL healthchecker
is successfully executing a simple TCP check on Port 80 of RS1 every 20
seconds.
The problem is the Linux firewall will not forward browser client
requests to RS1.
Tcpdump shows the requests are being delivered to tun0 on the firewall
connected to RS1:
14:50:42.225285 IP 10.200.0.1 > 10.200.0.2: IP 62.100.54.4.1174 >
62.100.52.101.http: S 126909974:126909974(0) win 65535 <mss
1260,nop,nop,sackOK> (ipip-proto-4)
Note that 62.100.52.101 is the KL VIP, 10.200.0.2 is the firewall tunnel
address, 10.200.0.1 is the KL tunnel address. I've added an IPTABLES
rule to DNAT all traffic sent to 10.200.0.2:20 to RS1 (10.1.40.10), this
works for the KL TCP check, but not for browser requests.
RS1 will need the VIP with the service listening on the VIP,
the firewall will need a route to the VIP (which is on RS1)
the firewall will need a rule on the firewall to forward
packets with dest_addr=VIP to the output chain.
RS1 will reply to the client directly (presumably through
the firewall, but the reply packet should traverse the
firewall untouched by any rules).
Joe
--
Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) wm7d (dot) net - azimuthal equidistant map
generator at http://www.wm7d.net/azproj.shtml
Homepage http://www.austintek.com/ It's GNU/Linux!
|