LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: [lvs-users] LVS-Nat - access to external ip from internal machines

To: "'LinuxVirtualServer.org users mailing list.'" <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: [lvs-users] LVS-Nat - access to external ip from internal machines
From: "XUFENG" <xufengnju@xxxxxxxx>
Date: Fri, 20 Feb 2009 08:33:58 +0800
Hi

Would you please make your topology (the structure of your network with
servers and IPs) much clearer? I am just a little bit confused.
Please do 
[root@localhost ~]# ipvsadm -L -n
[root@localhost ~]# iptables -L -n
[root@localhost ~]# ifconfig
[root@localhost ~]# route -n
on your Loadbalancer and give us the output.
And please do 
[root@localhost ~]# ifconfig
[root@localhost ~]# route -n
[root@localhost ~]# iptables -L -n
On your realservers and give us the output.
Also please do 

[root@localhost ~]# ifconfig
[root@localhost ~]# route -n
[root@localhost ~]# iptables -L -n

On your internal machine from which you want to access 100.100.100.3.

Yours
Xu Feng
From China.

> -----Original Message-----
> From: lvs-users-bounces@xxxxxxxxxxxxxxxxxxxxxx
> [mailto:lvs-users-bounces@xxxxxxxxxxxxxxxxxxxxxx] On Behalf Of George
> Machitidze
> Sent: 2009年2月19日 23:34
> To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Subject: [lvs-users] LVS-Nat - access to external ip from internal
machines
> 
> Hello,
> 
> I have a problem with accessing IP's of external balancer machines
> from internal machines:
> 
> ============================
> [root@lba2 ~]# service iptables status
> Table: mangle
> Chain PREROUTING (policy ACCEPT)
> num  target     prot opt source               destination
> 
> Chain INPUT (policy ACCEPT)
> num  target     prot opt source               destination
> 
> Chain FORWARD (policy ACCEPT)
> num  target     prot opt source               destination
> 
> Chain OUTPUT (policy ACCEPT)
> num  target     prot opt source               destination
> 
> Chain POSTROUTING (policy ACCEPT)
> num  target     prot opt source               destination
> 
> Table: nat
> Chain PREROUTING (policy ACCEPT)
> num  target     prot opt source               destination
> 
> Chain POSTROUTING (policy ACCEPT)
> num  target     prot opt source               destination
> 1    ACCEPT     all  --  10.1.0.0/24          10.1.0.0/24
> 2    MASQUERADE  all  --  10.1.0.0/24          0.0.0.0/0
> 
> Chain OUTPUT (policy ACCEPT)
> num  target     prot opt source               destination
> 
> Table: filter
> Chain INPUT (policy ACCEPT)
> num  target     prot opt source               destination
> 1    fail2ban-ProFTPD  tcp  --  0.0.0.0/0            0.0.0.0/0
>   tcp dpt:21
> 2    fail2ban-SSH  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
> dpt:22
> 3    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
> 4    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
> state RELATED,ESTABLISHED
> 5    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0
> 6    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
> dpt:22 state NEW
> 7    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
> dpt:80 state NEW
> 8   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
> dpt:21 state NEW
> 9   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
> dpt:20 state NEW
> 10   REJECT     all  --  0.0.0.0/0            0.0.0.0/0
> reject-with icmp-net-unreachable
> 
> Chain FORWARD (policy ACCEPT)
> num  target     prot opt source               destination
> 
> Chain OUTPUT (policy ACCEPT)
> num  target     prot opt source               destination
> 
> Chain fail2ban-ProFTPD (1 references)
> num  target     prot opt source               destination
> 1    RETURN     all  --  0.0.0.0/0            0.0.0.0/0
> 
> Chain fail2ban-SSH (1 references)
> num  target     prot opt source               destination
> 1    RETURN     all  --  0.0.0.0/0            0.0.0.0/0
> 
> ================================
> this machine has external ip:
> 100.100.100.1 (real)
> 100.100.100.3 (vip)
> 
> and internal ip:
> 10.1.0.1 (real)
> 10.1.0.3 (vip)
> 
> and I am running internal servers with ip's:
> 10.1.0.10
> 10.1.0.20
> 
> so, all incoming connections on lba are forwarded vith ip_vs to
> 10.1.0.10 and 10.1.0.20 with round-robin option.
> 
> if i am accessing it from outside world - everything is going fine, but:
> 
> from internal machines i cannot access 100.100.100.3 ip.
> 
> can you please help me with this issue and suggest solution? i cannot
> understand where may be the problem - in iptables configuration or
> somewhere else.
> 
> this option prevents some web services to access itselfs via resoved
> domain name and because of this i am unable to launch some of sites...
> 
> Thank you in advance!
> 
> --
> BR,
> George Machitidze
> 
> _______________________________________________
> Please read the documentation before posting - it's available at:
> http://www.linuxvirtualserver.org/
> 
> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://lists.graemef.net/mailman/listinfo/lvs-users




_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
<Prev in Thread] Current Thread [Next in Thread>