[lvs-users] LVS-NAT on firewall

To:	lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject:	[lvs-users] LVS-NAT on firewall
From:	Jonathan Baxter <jbaxter@xxxxxxxxxxxxx>
Date:	Wed, 8 Apr 2009 18:28:14 -0400

Looking at the documentation for ipvsadm it seems that in order to run ipvsadm 
on a director that is also running a nat-firewall you have to patch the 
kernel with the ipvs_nfct patch. 

Can someone please confirm that that this is correct?

I ask because I have spent a frustrting 8 hours attempting to get such a setup 
to work and failed dismally. Unfortunately, patching the kernel is not an 
option in this case (nor in many production firewall cases I might add - any 
ETA when these patches may make it into the mainstream ipvsadm code?), so I 
will probably have to switch to some other load balancer eg balance, but I 
really don't want to. 

My setup: 

Internet <-> LVS/Firewall/VIP/Router <-> RIP (6 machines)

The Router machine masquerades the RIP machines (real webservers) which are on 
a private network and only connect to the outside world through  the Router. 
It has all the firewall rules and is the one on which I want to run ipvsadm. 

Packets get to RIP machines from Internet via Router, but get blocked on their 
way back. In the firewall log on Router I see these lines (router001 is the 
Router machine running Suse 11.0, bond0 is the internal interface to the real 
webservers (2 bonded nics), eth2 is the VIP interface):

Apr  8 18:21:32 router001 kernel: SFW2-FWDint-DROP-DEFLT-INV IN=bond0 OUT=eth2 
SRC=192.168.X.XXX DST=72.84.XX.XXX LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF 
PROTO=TCP SPT=8080 DPT=58558 WINDOW=5792 RES=0x00 ACK SYN URGP=0 OPT 
(020405B40402080A122C8D7D07FC4FDC01030307)

Note the SFW2-FWDint-DROP-DEFLT-INV means the packet is being dropped because 
it is invalid, which got me thinking it was probably something to do with 
these connection tracking issues. 

Any suggestions for a workaround would be greatly appreciated. Connecting the 
RIPs directly to the internet and using Direct Routing is not an option. 
Putting the firewall on another box is also not an option. 

Thanks,

Jonathan 

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

<Prev in Thread]	Current Thread	[Next in Thread>
[lvs-users] LVS-NAT on firewall, Jonathan Baxter <= Re: [lvs-users] LVS-NAT on firewall, jason . faulkner Re: [lvs-users] LVS-NAT on firewall, Graeme Fowler Re: [lvs-users] LVS-NAT on firewall, Jonathan Baxter [lvs-users] IPVS and IPTABLES firewall, w y Re: [lvs-users] IPVS and IPTABLES firewall, Joseph Mack NA3T [lvs-users] Re : IPVS and IPTABLES firewall, w y Re: [lvs-users] Re : IPVS and IPTABLES firewall, Graeme Fowler [lvs-users] Re : Re : IPVS and IPTABLES firewall, w y Re: [lvs-users] Re : Re : IPVS and IPTABLES firewall, Siim Põder

Previous by Date:	[lvs-users] LVS-DR, Keepalived 1.1.17, installation question/problem, Vasiliy Boulytchev
Next by Date:	Re: [lvs-users] LVS-DR, Keepalived 1.1.17, installation question/problem, Graeme Fowler
Previous by Thread:	[lvs-users] LVS-DR, Keepalived 1.1.17, installation question/problem, Vasiliy Boulytchev
Next by Thread:	Re: [lvs-users] LVS-NAT on firewall, jason . faulkner
Indexes:	[Date] [Thread] [Top] [All Lists]