BTW,
We also have problem with web - sometimes we are getting Err 503, according
to sniff - NAT is interrupted by balancer and packages sent to the client
are incomplete and sessions are interrupted on TCP level. After service
iptables stop - everything works fine.
On Fri, Sep 24, 2010 at 8:34 PM, George Machitidze <giomac@xxxxxxxxx> wrote:
> Guten tag Michael! :)
>
> So, what we have and where is the problem:
>
> We've got LVS-NAT balancer (hostname "lba1a") with two real interfaces and
> it is running postfix on localhost, let's take example globally-available
> *VIP* 123.123.123.123 on one of interfaces, here is what we have when
> iptables is on:
>
>
> [root@lba1a ~]# telnet 123.123.123.123 25
>
> Trying 123.123.123.123...
>
> telnet: connect to address 77.92.229.53: Connection timed out
>
> [root@lba1a ~]# telnet 123.123.123.123 25
>
> Trying 123.123.123.123...
>
> Connected to 123.123.123.123.
>
> Escape character is '^]'.
>
> 220 123.123.123.123 ESMTP test server
>
> ^]
>
> telnet> Connection closed.
>
> [root@lba1a ~]# telnet 123.123.123.123 25
>
> Trying 123.123.123.123...
>
> telnet: connect to address 123.123.123.123: Connection timed out
>
> [root@lba1a ~]# telnet 123.123.123.123 25
>
> Trying 123.123.123.123...
>
>
> this VIP in our case is eth0:1, FC13 x86-64, had same with FC11, FC12
>
> [root@lba1a ~]# iptables -L -n
>
> Chain INPUT (policy ACCEPT)
>
> target prot opt source destination
>
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
>
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED
>
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
> state NEW
>
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
> state NEW
>
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
> state NEW
>
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 helper match
> "ftp"
>
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
>
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3128
> state NEW
>
> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:123
>
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
> state NEW
>
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
> state NEW
>
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp
> dpt:3636
>
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp
> dpt:10000
>
> REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with
> icmp-port-unreachable
>
>
> Chain FORWARD (policy ACCEPT)
>
> target prot opt source destination
>
>
> Chain OUTPUT (policy ACCEPT)
>
> target prot opt source destination
>
>
> [root@lba1a ~]# iptables -L -n -t mangle
>
> Chain PREROUTING (policy ACCEPT)
>
> target prot opt source destination
>
> MARK tcp -- 0.0.0.0/0 123.123.123.123 tcp dpt:21
> MARK set 0x15
>
> MARK tcp -- 0.0.0.0/0 123.123.123.123 tcp
> dpts:1024:65535 MARK set 0x15
>
>
> Chain INPUT (policy ACCEPT)
>
> target prot opt source destination
>
>
> Chain FORWARD (policy ACCEPT)
>
> target prot opt source destination
>
>
> Chain OUTPUT (policy ACCEPT)
>
> target prot opt source destination
>
>
> Chain POSTROUTING (policy ACCEPT)
>
> target prot opt source destination
>
>
>
> [root@lba1a ~]# iptables -L -n -t nat
>
> Chain PREROUTING (policy ACCEPT)
>
> target prot opt source destination
>
>
> Chain POSTROUTING (policy ACCEPT)
>
> target prot opt source destination
>
> ACCEPT all -- 10.1.0.0/24 10.1.0.0/24
>
> MASQUERADE all -- 10.1.0.0/24 0.0.0.0/0
>
>
> Chain OUTPUT (policy ACCEPT)
>
> target prot opt source destination
>
>
> [root@lba1a ~]# ipvsadm --list -n
> IP Virtual Server version 1.2.1 (size=4096)
> Prot LocalAddress:Port Scheduler Flags
> -> RemoteAddress:Port Forward Weight ActiveConn InActConn
> TCP 123.123.123.123:25 wlc persistent 3600
> -> 127.0.0.1:25 Local 50 0 1
> TCP 12.123.123.123:80 wlc persistent 3600
> -> 10.1.0.3:80 Masq 50 37 319
> -> 10.1.0.5:80 Masq 50 39 120
> FWM 21 wlc
> -> 10.1.0.3:21 Masq 10 0 1
> -> 10.1.0.5:21 Masq 10 0 0
> -> 127.0.0.1:21 Local 10 0 0
>
>
> We tried with LVS redirect to localhost and without... Postfix is working
> fine, there must be a problem somewhere at iptables/lvs
>
> On Sun, Sep 19, 2010 at 5:37 PM, Michael Schwartzkopff <
> misch@xxxxxxxxxxxxxxxxx> wrote:
>
>> On Sunday 19 September 2010 13:56:00 თემური დოღონაძე wrote:
>> > Hi.
>> >
>> > We have cluster with 2 routers and 3 nodes, running webserver on it.
>> > mailserver is 1st router itself
>> > Problem is, that we cannot connect to SMTP server via IPVS virtual IP
>> from
>> > inside of router in 90% of tries.
>> > if iptables are down, all goes smooth, we can connect freely. but if
>> it's
>> > up, its possible to connect though, but 1 times from 20 try or so
>> > postfix is logging something like:
>> >
>> > lost connection after CONNECT from domain.com.local[127.0.0.1]
>> >
>> > any suggestions?
>>
>> Gamarjoobath,
>>
>> Configs? Logs?
>>
>> Greetings,
>>
>> --
>> Dr. Michael Schwartzkopff
>> Guardinistr. 63
>> 81375 München
>>
>> Tel: (0163) 172 50 98
>>
>> _______________________________________________
>> Please read the documentation before posting - it's available at:
>> http://www.linuxvirtualserver.org/
>>
>> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
>> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
>> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>
>
>
>
> --
> Best regards,
> George Machitidze
>
--
Best regards,
George Machitidze
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
|