LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

[lvs-users] LVS/TUN Help with FWMARK

To: <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: [lvs-users] LVS/TUN Help with FWMARK
From: Jenny Lee <bodycare_5@xxxxxxxx>
Date: Thu, 28 Jun 2012 03:13:50 +0000
Dear LVS Users,
 
First of all, thank you for the excellent product
 
I am a bit stuck. I would apreciate some of you experts have a look at this.
 
I have 2 machines (they are in different datacenters):

############# SETUP ############################################
Both machines use:
RHEL6 x64 2.6.32-131.0.15.el6.x86_64
iptables v1.4.7
IP Virtual Server version 1.2.1 (size=4096)
 
MACHINE 1
1.1.1.1 (eth0)
1.1.1.3 secondary ip (ip addr add 1.1.1.3 dev eth0)
 
MACHINE 2
2.2.2.2 (eth0)
2.2.2.3 secondary ip (ip addr add 2.2.2.3 dev eth0)
 

############# PURPOSE ###########################################
I am trying to have ip 1.1.1.3 accessible on MACHINE 2 (in its simplest 
explanation)
 

############# COMMANDS ##########################################
On MACHINE 1, I run:
 
iptables -F
iptables -F -t mangle
iptables -A INPUT -p tcp -j ACCEPT
iptables -A INPUT -p udp -j ACCEPT
iptables -t mangle -A PREROUTING -i eth0 -p tcp -d 1.1.1.3 -m state ! --state 
ESTABLISHED -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i eth0 -p udp -d 1.1.1.3 -m state ! --state 
ESTABLISHED -j MARK --set-mark 1
ipvsadm -C
ipvsadm -A -f 1 -s rr
ipvsadm -a -f 1 -r 2.2.2.2 -i
 

On MACHINE 2, I run:
 
service iptables stop
modprobe ipip
ip addr add 1.1.1.3/32 dev tunl0
ip link set tunl0 up arp off
nc -l -v -D 23

############# LOGS ################################################
On MACHINE 1:
 
tcpdump -lnnn host 2.2.2.2
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
05:41:35.367295 IP 1.1.1.1 > 2.2.2.2: IP cl.ie.nt.IP.53178 > 1.1.1.3.23: Flags 
[S], seq 64858347, win 8192, options [mss 1400,nop,wscale 8,nop,nop,sackOK], 
length 0 (ipip-proto-4)
05:41:38.369261 IP 1.1.1.1 > 2.2.2.2: IP cl.ie.nt.IP.53178 > 1.1.1.3.23: Flags 
[S], seq 64858347, win 8192, options [mss 1400,nop,wscale 8,nop,nop,sackOK], 
length 0 (ipip-proto-4)
05:41:44.374032 IP 1.1.1.1 > 2.2.2.2: IP cl.ie.nt.IP.53178 > 1.1.1.3.23: Flags 
[S], seq 64858347, win 8192, options [mss 1400,nop,nop,sackOK], length 0 
(ipip-proto-4)
 
ipvsadm -L -n --stats
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port               Conns   InPkts  OutPkts  InBytes OutBytes
  -> RemoteAddress:Port
FWM  1                                   5       13        0      760        0
  -> 2.2.2.2:0                           5       13        0      760        0

 
On MACHINE 2:

tcpdump -lnnn -i tunl0 host cl.ie.nt.IP
listening on tunl0, link-type RAW (Raw IP), capture size 65535 bytes
05:32:15.694994 IP cl.ie.nt.IP.52809 > 1.1.1.3.23: Flags [S], seq 4020678079, 
win 8192, options [mss 1400,nop,wscale 8,nop,nop,sackOK], length 0
05:32:18.703968 IP cl.ie.nt.IP.52809 > 1.1.1.3.23: Flags [S], seq 4020678079, 
win 8192, options [mss 1400,nop,wscale 8,nop,nop,sackOK], length 0
05:32:24.710999 IP cl.ie.nt.IP.52809 > 1.1.1.3.23: Flags [S], seq 4020678079, 
win 8192, options [mss 1400,nop,nop,sackOK], length 0
 
tcpdump -lnnn -i eth0 host 1.1.1.1
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
05:29:48.719022 IP 1.1.1.1 > 2.2.2.2: IP cl.ie.nt.IP.52711 > 1.1.1.3.23: Flags 
[S], seq 2945894575, win 8192, options [mss 1400,nop,wscale 8,nop,nop,sackOK], 
length 0 (ipip-proto-4)
05:29:51.730887 IP 1.1.1.1 > 2.2.2.2: IP cl.ie.nt.IP.52711 > 1.1.1.3.23: Flags 
[S], seq 2945894575, win 8192, options [mss 1400,nop,wscale 8,nop,nop,sackOK], 
length 0 (ipip-proto-4)
05:29:57.737162 IP 1.1.1.1 > 2.2.2.2: IP cl.ie.nt.IP.52711 > 1.1.1.3.23: Flags 
[S], seq 2945894575, win 8192, options [mss 1400,nop,nop,sackOK], length 0 
(ipip-proto-4)
######################################################################

No matter what I do, I am not able to connect to netcat on MACHINE2 when I try: 
telnet 1.1.1.3 <enter>
 
I don't think DC is blocking packets. Doing "traceroute -s 1.1.1.3 
some.other.ip" showed that "some.other.ip" indeed saw connections coming from 
1.1.1.3
 
I would be eternally grateful if someone can help.
 
Jenny

                                          
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

<Prev in Thread] Current Thread [Next in Thread>