Re: [lvs-users] postfix problem - lost connection after CONNECT

[George Machitidze <giomac@xxxxxxxxx>]

Guten tag Michael! :)

So, what we have and where is the problem:

We've got LVS-NAT balancer (hostname "lba1a") with two real interfaces and
it is running postfix on localhost, let's take example globally-available *
VIP* 123.123.123.123 on one of interfaces, here is what we have when
iptables is on:


[root@lba1a ~]# telnet 123.123.123.123 25

Trying 123.123.123.123...

telnet: connect to address 77.92.229.53: Connection timed out

[root@lba1a ~]# telnet 123.123.123.123 25

Trying 123.123.123.123...

Connected to 123.123.123.123.

Escape character is '^]'.

220 123.123.123.123 ESMTP test server

^]

telnet> Connection closed.

[root@lba1a ~]# telnet 123.123.123.123 25

Trying 123.123.123.123...

telnet: connect to address 123.123.123.123: Connection timed out

[root@lba1a ~]# telnet 123.123.123.123 25

Trying 123.123.123.123...


this VIP in our case is eth0:1, FC13 x86-64, had same with FC11, FC12

[root@lba1a ~]# iptables -L -n

Chain INPUT (policy ACCEPT)

target     prot opt source               destination

ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state
RELATED,ESTABLISHED

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80
state NEW

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22
state NEW

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:25
state NEW

ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           helper match
"ftp"

ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:3128
state NEW

ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:123

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:443
state NEW

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:21
state NEW

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp
dpt:3636

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp
dpt:10000

REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with
icmp-port-unreachable


Chain FORWARD (policy ACCEPT)

target     prot opt source               destination


Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination


[root@lba1a ~]# iptables -L -n -t mangle

Chain PREROUTING (policy ACCEPT)

target     prot opt source               destination

MARK       tcp  --  0.0.0.0/0            123.123.123.123        tcp dpt:21
MARK set 0x15

MARK       tcp  --  0.0.0.0/0            123.123.123.123        tcp
dpts:1024:65535 MARK set 0x15


Chain INPUT (policy ACCEPT)

target     prot opt source               destination


Chain FORWARD (policy ACCEPT)

target     prot opt source               destination


Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination


Chain POSTROUTING (policy ACCEPT)

target     prot opt source               destination



[root@lba1a ~]# iptables -L -n -t nat

Chain PREROUTING (policy ACCEPT)

target     prot opt source               destination


Chain POSTROUTING (policy ACCEPT)

target     prot opt source               destination

ACCEPT     all  --  10.1.0.0/24          10.1.0.0/24

MASQUERADE  all  --  10.1.0.0/24          0.0.0.0/0


Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination


[root@lba1a ~]# ipvsadm --list -n
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
  -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
TCP  123.123.123.123:25 wlc persistent 3600
  -> 127.0.0.1:25                 Local   50     0          1
TCP  12.123.123.123:80 wlc persistent 3600
  -> 10.1.0.3:80                  Masq    50     37         319
  -> 10.1.0.5:80                  Masq    50     39         120
FWM  21 wlc
  -> 10.1.0.3:21                  Masq    10     0          1
  -> 10.1.0.5:21                  Masq    10     0          0
  -> 127.0.0.1:21                 Local   10     0          0


We tried with LVS redirect to localhost and without... Postfix is working
fine, there must be a problem somewhere at iptables/lvs

On Sun, Sep 19, 2010 at 5:37 PM, Michael Schwartzkopff <
misch@xxxxxxxxxxxxxxxxx> wrote:

> On Sunday 19 September 2010 13:56:00 თემური დოღონაძე wrote:
> > Hi.
> >
> > We have cluster with 2 routers and 3 nodes, running webserver on it.
> > mailserver is 1st router itself
> > Problem is, that we  cannot connect to SMTP server via IPVS virtual IP
> from
> > inside of router in 90% of tries.
> > if iptables are down, all goes smooth, we can connect freely. but if it's
> > up, its possible to connect though, but 1 times from 20 try or so
> > postfix is logging something like:
> >
> >  lost connection after CONNECT from domain.com.local[127.0.0.1]
> >
> > any suggestions?
>
> Gamarjoobath,
>
> Configs? Logs?
>
> Greetings,
>
> --
> Dr. Michael Schwartzkopff
> Guardinistr. 63
> 81375 München
>
> Tel: (0163) 172 50 98
>
> _______________________________________________
> Please read the documentation before posting - it's available at:
> http://www.linuxvirtualserver.org/
>
> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://lists.graemef.net/mailman/listinfo/lvs-users




-- 
Best regards,
George Machitidze
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users