LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: [lvs-users] postfix problem - lost connection after CONNECT

To: misch@xxxxxxxxxxxxxxxxx, "LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: [lvs-users] postfix problem - lost connection after CONNECT
Cc: Temuri Doghonadze <temuri.doghonadze@xxxxxxxxx>
From: George Machitidze <giomac@xxxxxxxxx>
Date: Fri, 24 Sep 2010 20:37:48 +0400
BTW,

We also have problem with web - sometimes we are getting Err 503, according
to sniff - NAT is interrupted by balancer and packages sent to the client
are incomplete and sessions are interrupted on TCP level. After service
iptables stop - everything works fine.

On Fri, Sep 24, 2010 at 8:34 PM, George Machitidze <giomac@xxxxxxxxx> wrote:

> Guten tag Michael! :)
>
> So, what we have and where is the problem:
>
> We've got LVS-NAT balancer (hostname "lba1a") with two real interfaces and
> it is running postfix on localhost, let's take example globally-available
> *VIP* 123.123.123.123 on one of interfaces, here is what we have when
> iptables is on:
>
>
> [root@lba1a ~]# telnet 123.123.123.123 25
>
> Trying 123.123.123.123...
>
> telnet: connect to address 77.92.229.53: Connection timed out
>
> [root@lba1a ~]# telnet 123.123.123.123 25
>
> Trying 123.123.123.123...
>
> Connected to 123.123.123.123.
>
> Escape character is '^]'.
>
> 220 123.123.123.123 ESMTP test server
>
> ^]
>
> telnet> Connection closed.
>
> [root@lba1a ~]# telnet 123.123.123.123 25
>
> Trying 123.123.123.123...
>
> telnet: connect to address 123.123.123.123: Connection timed out
>
> [root@lba1a ~]# telnet 123.123.123.123 25
>
> Trying 123.123.123.123...
>
>
> this VIP in our case is eth0:1, FC13 x86-64, had same with FC11, FC12
>
> [root@lba1a ~]# iptables -L -n
>
> Chain INPUT (policy ACCEPT)
>
> target     prot opt source               destination
>
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
>
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state
> RELATED,ESTABLISHED
>
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80
> state NEW
>
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22
> state NEW
>
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:25
> state NEW
>
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           helper match
> "ftp"
>
> ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0
>
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:3128
> state NEW
>
> ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:123
>
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:443
> state NEW
>
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:21
> state NEW
>
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp
> dpt:3636
>
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp
> dpt:10000
>
> REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with
> icmp-port-unreachable
>
>
> Chain FORWARD (policy ACCEPT)
>
> target     prot opt source               destination
>
>
> Chain OUTPUT (policy ACCEPT)
>
> target     prot opt source               destination
>
>
> [root@lba1a ~]# iptables -L -n -t mangle
>
> Chain PREROUTING (policy ACCEPT)
>
> target     prot opt source               destination
>
> MARK       tcp  --  0.0.0.0/0            123.123.123.123        tcp dpt:21
> MARK set 0x15
>
> MARK       tcp  --  0.0.0.0/0            123.123.123.123        tcp
> dpts:1024:65535 MARK set 0x15
>
>
> Chain INPUT (policy ACCEPT)
>
> target     prot opt source               destination
>
>
> Chain FORWARD (policy ACCEPT)
>
> target     prot opt source               destination
>
>
> Chain OUTPUT (policy ACCEPT)
>
> target     prot opt source               destination
>
>
> Chain POSTROUTING (policy ACCEPT)
>
> target     prot opt source               destination
>
>
>
> [root@lba1a ~]# iptables -L -n -t nat
>
> Chain PREROUTING (policy ACCEPT)
>
> target     prot opt source               destination
>
>
> Chain POSTROUTING (policy ACCEPT)
>
> target     prot opt source               destination
>
> ACCEPT     all  --  10.1.0.0/24          10.1.0.0/24
>
> MASQUERADE  all  --  10.1.0.0/24          0.0.0.0/0
>
>
> Chain OUTPUT (policy ACCEPT)
>
> target     prot opt source               destination
>
>
> [root@lba1a ~]# ipvsadm --list -n
> IP Virtual Server version 1.2.1 (size=4096)
> Prot LocalAddress:Port Scheduler Flags
>   -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
> TCP  123.123.123.123:25 wlc persistent 3600
>   -> 127.0.0.1:25                 Local   50     0          1
> TCP  12.123.123.123:80 wlc persistent 3600
>   -> 10.1.0.3:80                  Masq    50     37         319
>   -> 10.1.0.5:80                  Masq    50     39         120
> FWM  21 wlc
>   -> 10.1.0.3:21                  Masq    10     0          1
>   -> 10.1.0.5:21                  Masq    10     0          0
>   -> 127.0.0.1:21                 Local   10     0          0
>
>
> We tried with LVS redirect to localhost and without... Postfix is working
> fine, there must be a problem somewhere at iptables/lvs
>
> On Sun, Sep 19, 2010 at 5:37 PM, Michael Schwartzkopff <
> misch@xxxxxxxxxxxxxxxxx> wrote:
>
>> On Sunday 19 September 2010 13:56:00 თემური დოღონაძე wrote:
>> > Hi.
>> >
>> > We have cluster with 2 routers and 3 nodes, running webserver on it.
>> > mailserver is 1st router itself
>> > Problem is, that we  cannot connect to SMTP server via IPVS virtual IP
>> from
>> > inside of router in 90% of tries.
>> > if iptables are down, all goes smooth, we can connect freely. but if
>> it's
>> > up, its possible to connect though, but 1 times from 20 try or so
>> > postfix is logging something like:
>> >
>> >  lost connection after CONNECT from domain.com.local[127.0.0.1]
>> >
>> > any suggestions?
>>
>> Gamarjoobath,
>>
>> Configs? Logs?
>>
>> Greetings,
>>
>> --
>> Dr. Michael Schwartzkopff
>> Guardinistr. 63
>> 81375 München
>>
>> Tel: (0163) 172 50 98
>>
>> _______________________________________________
>> Please read the documentation before posting - it's available at:
>> http://www.linuxvirtualserver.org/
>>
>> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
>> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
>> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>
>
>
>
> --
> Best regards,
> George Machitidze
>



-- 
Best regards,
George Machitidze
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
<Prev in Thread] Current Thread [Next in Thread>