|
Gerry Reno wrote:
> Gerry Reno wrote:
>
>> Con Tassios wrote:
>>
>>
>>> Would you need something like this on the real servers?
>>>
>>> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 33322 -j REDIRECT
>>> --to-port 22
>>>
>>>
>>>
>>>
>> In conjunction with Graeme's suggestion about sshd_config, your rule
>> works, when used on the directors.
>>
>> Gerry
>>
>>
> I guess I should add that the SSH rule in keepalived.conf was modified
> from 33322 back to just 22.
>
> Gerry
>
>
Hmm... I may have spoken too soon. It looks like the access is only
going to the director DIP and not to RS.
In iptables on directors:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 33322 -j REDIRECT
--to-port 22
In /etc/ssh/sshd_config:
ListenAddress 192.168.1.150 # the DIP
In keepalived.conf:
virtual_server 192.168.1.240 22 { <--- changed from 33322
...
real_server 192.168.1.25 22 {
...
from remote machine:
ssh -p 33322 user@VIP
but the access is to the DIP instead of RS
So here is how I thought this would work:
The ssh request comes into eth0 on VIP:33322 and the firewall redirects this
to VIP:22 (or does it?) and then shouldn't IPVS direct this to RS:22? and then
the response from RS go back to VIP:33322? It's not doing that. It's going to
DIP:22.
????
Gerry
|
