|
On Mon, 2012-08-13 at 13:54 +0200, Klavs Klavsen wrote:
> Appearently they are going through FORWARD - with the source IP of the
> backend - instead of the sourceIP of the VIP - that the client actually
> accessed.
You're using LVS-NAT. The only place the VIP is present in the usual
usage of this is in the external (client-facing) interface of the
director.
> Also - for some reason there's no state - so I had to allow ALL packages
> with source-port of 80 or 443 in the FORWARD chain.
ipvs works in tandem with netfilter (is part of it nowadays,
effectively), so state is recorded in the usual way in the conntrack
tables. If yours isn't, then you may be using an old enough kernel that
this doesn't happen or you don't have the appropriate netfilter modules
loaded.
Graeme
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
|
