Re: [lvs-users] LVS-NAT on firewall

To:	lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject:	Re: [lvs-users] LVS-NAT on firewall
Cc:	Graeme Fowler <graeme@xxxxxxxxxxx>
From:	Jonathan Baxter <jbaxter@xxxxxxxxxxxxx>
Date:	Sun, 12 Apr 2009 11:05:05 -0400

Hi Graeme,

I am nervous putting the firewall rules on a public list as this will be a 
public-facing website.

I switched over to HAProxy which seems to be doing a good job. I don't need 
the lower-level load balancing so HAProxy is fine for my purposes. 

Thanks for your help. 

- Jonathan 

On Sunday 12 April 2009 05:17, Graeme Fowler wrote:
> Hi Jonathan
>
> Apologies for the delayed reply, first of all.
>
> On Wed, 2009-04-08 at 18:28 -0400, Jonathan Baxter wrote:
> > Looking at the documentation for ipvsadm it seems that in order to run
> > ipvsadm on a director that is also running a nat-firewall you have to
> > patch the kernel with the ipvs_nfct patch.
>
> Well, not exactly, no. I've happily had ip_vs rules and netfilter rules
> co-reside on the same director doing LVS-NAT on a number of occasions,
> albeit probably not in the same sort of setup as you overall.
>
> > Internet <-> LVS/Firewall/VIP/Router <-> RIP (6 machines)
>
> OK, this is all perfectly sane.
>
> > The Router machine masquerades the RIP machines (real webservers) which
> > are on a private network and only connect to the outside world through 
> > the Router. It has all the firewall rules and is the one on which I want
> > to run ipvsadm.
>
> ...and so is this.
>
> > Packets get to RIP machines from Internet via Router, but get blocked on
> > their way back.
>
> But this part is not. This is something to do with the netfilter rules
> getting in the way (obviously).
>
> Can you post an example iptables ruleset, please (generate it using
> iptables-save and edit it appropriately)? The way you have the rules
> built is stopping the traffic getting back through.
>
> Ta
>
> Graeme
>
>
> _______________________________________________
> Please read the documentation before posting - it's available at:
> http://www.linuxvirtualserver.org/
>
> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://lists.graemef.net/mailman/listinfo/lvs-users

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

<Prev in Thread]	Current Thread	[Next in Thread>
[lvs-users] LVS-NAT on firewall, Jonathan Baxter Re: [lvs-users] LVS-NAT on firewall, jason . faulkner Re: [lvs-users] LVS-NAT on firewall, Graeme Fowler Re: [lvs-users] LVS-NAT on firewall, Jonathan Baxter <= [lvs-users] IPVS and IPTABLES firewall, w y Re: [lvs-users] IPVS and IPTABLES firewall, Joseph Mack NA3T [lvs-users] Re : IPVS and IPTABLES firewall, w y Re: [lvs-users] Re : IPVS and IPTABLES firewall, Graeme Fowler [lvs-users] Re : Re : IPVS and IPTABLES firewall, w y Re: [lvs-users] Re : Re : IPVS and IPTABLES firewall, Siim Põder

Previous by Date:	Re: [lvs-users] LVS-NAT on firewall, Graeme Fowler
Next by Date:	Re: [lvs-users] CentOS/Redhat Cluster Suite Setup, Graeme Fowler
Previous by Thread:	Re: [lvs-users] LVS-NAT on firewall, Graeme Fowler
Next by Thread:	[lvs-users] IPVS and IPTABLES firewall, w y
Indexes:	[Date] [Thread] [Top] [All Lists]