|
On Thu, 4 Dec 2008, Dan Brown wrote:
>> the tunl device usually has the VIP
>
> Well I don't use the tunl0 device itself for anything but not having that up
> prevents me from having all of my tunl0:X (eg. tunl0:43 for say
> 216.94.145.43) aliases running, so I simply assigned it a non-useful IP.
> Assigning it the IP of eth0, or some arbitrary private LAN IP appears to
> have no effect on the availability of an IP as long as the tunl0 device is
> up so that the VIPs on the aliases work as well.
are you saying that you get it to work with an arbitary IP
on tunl0 and the VIP on eth0:x?
>>> If I block everything except traffic to the server from the
>>> director I still get traffic through to the remote server.
>>
>> I have no idea what this means.
>
> Ok, so the LVS director runs a check on the following virtual IP setup via
> ldirectord.conf via the standard methods.
>
> # IP Address 216.94.145.43
> virtual=216.94.145.43:80
> real=209.167.162.87:80 gate 1
> real=216.94.137.194:80 ipip 5
> persistent=3600
> service=http
> request=".lvs.html"
> receive="Test Message"
> scheduler=rr
> protocol=tcp
> checktype=negotiate
>
> If on the real server getting tunneled traffic I block traffic via
> ip(6)tables (on eth0)
are you running an ip(6) version of ip_vs()?
> to the IP address 216.94.145.43 for ANY IP address,
do you mean that you block packets to the VIP from 0/0 on
eth0 on the realserver?
> but leave the director seeing the real server as up itself,
I have no idea what this means
> I can still grab content off of the site on 216.94.145.43
do you mean the client can connect via LVS to the VIP on the
realserver?
> as though the iptables rules didn't
> exist. Obviously this shouldn't happen.
why not?
> It works
what's it?
I'm giving up here. Please give me a post which explains the
problem
Joe
> with LVS-DR because it's
> coming in through eth0 as-is (and lo:X holds the VIP for it). For LVS-TUN
> it's coming in encapsulated through eth0 to the appropriate tunl0:X alias so
> it doesn't seem appropriate to apply the iptables rules to tunl0.
>
> In this specific case I figured out a solution for a single IP by simply
> dropping the -i eth0 option. However, this would become a mess quickly for
> applying blanket rules across several subnets which is why it's been device
> specific previously. Should I instead be applying the filters on tunl0
> instead?
>
> ___________________________________________________
> Dan Brown
> danb@xxxxxx
>
>
>
> _______________________________________________
> Please read the documentation before posting - it's available at:
> http://www.linuxvirtualserver.org/
>
> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>
--
Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) wm7d (dot) net - azimuthal equidistant map
generator at http://www.wm7d.net/azproj.shtml
Homepage http://www.austintek.com/ It's GNU/Linux!
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
|
