|
Hi Graeme,
I am interested about your first comment :
On Wed, 2009-04-08 at 18:28 -0400, Jonathan Baxter wrote:
> Looking at the documentation for ipvsadm it seems that in order to run
> ipvsadm
> on a director that is also running a nat-firewall you have to patch the
> kernel with the ipvs_nfct patch.
Well, not exactly, no. I've happily had ip_vs rules and netfilter rules
co-reside on the same director doing LVS-NAT on a number of occasions,
albeit probably not in the same sort of setup as you overall.
I have installed a basic http loadbalancing that work perfectly :
Internet <-> LVS/VIP <-> RIP (1 machine)
But unfortunalty, when I run my "usual" firewall script to protect my director
server (ie some IPTABLES commands to only allow port 80), loadbalancing is
broken ... director receives packets, but seems not to be able to forward
packets to real server.
Do you mean that we don't need to patch the kernel ?
Can you give me some examples of netfilter rules that can co-reside with ip_vs
rules ? Must I add specific ip_vs rules in my firewall script to allow
loadbalancing ?
Many thanks,
Yannick
________________________________
De : Graeme Fowler <graeme@xxxxxxxxxxx>
À : jbaxter@xxxxxxxxxxxxx; LinuxVirtualServer.org users mailing list.
<lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Envoyé le : Dimanche, 12 Avril 2009, 11h17mn 21s
Objet : Re: [lvs-users] LVS-NAT on firewall
Hi Jonathan
Apologies for the delayed reply, first of all.
On Wed, 2009-04-08 at 18:28 -0400, Jonathan Baxter wrote:
> Looking at the documentation for ipvsadm it seems that in order to run
> ipvsadm
> on a director that is also running a nat-firewall you have to patch the
> kernel with the ipvs_nfct patch.
Well, not exactly, no. I've happily had ip_vs rules and netfilter rules
co-reside on the same director doing LVS-NAT on a number of occasions,
albeit probably not in the same sort of setup as you overall.
> Internet <-> LVS/Firewall/VIP/Router <-> RIP (6 machines)
OK, this is all perfectly sane.
> The Router machine masquerades the RIP machines (real webservers) which are
> on
> a private network and only connect to the outside world through the Router.
> It has all the firewall rules and is the one on which I want to run ipvsadm.
...and so is this.
> Packets get to RIP machines from Internet via Router, but get blocked on
> their
> way back.
But this part is not. This is something to do with the netfilter rules
getting in the way (obviously).
Can you post an example iptables ruleset, please (generate it using
iptables-save and edit it appropriately)? The way you have the rules
built is stopping the traffic getting back through.
Ta
Graeme
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
|
