LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: Lvs and Trans-Proxy

To: "LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: Lvs and Trans-Proxy
From: "Bikrant Neupane" <bikrant@xxxxxxxxxxxx>
Date: Thu, 23 Jun 2005 22:28:21 +0545
> On Thu, 23 Jun 2005, Bikrant Neupane wrote:
>
> > Director, real server and client are all on same subnet. Cisco router is
the
> > gateway of all the hosts.
> >
> > Director setup:
> >  ipvsadm -A -f 2 -s sh
> >  ipvsadm -a -f 2 -r 202.79.45.241:80
> >
> > iptables -t mangle -I PREROUTING -p tcp --dport 80 -j MARK --set-mark 2
> > iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT
> >
> >  I have turned off ip_forward and Masquerade from inptables at all.
> >
> > Tcpdump in director:
> > 202.79.45.235.1993 > 64.236.16.116.80: S 1880932316:1880932316(0) win
64240
> > <mss 1460,nop,nop,sackOK>
> > 202.79.45.235.1993 > 202.79.45.240.80: S 1880932316:1880932316(0) win
64240
> > <mss 1460,nop,nop,sackOK>
> >
> > The second packet suggest that the director is changing destination IP
from
> > 64.236.16.116 to 202.79.45.240 (IP of the director itself)
>
> that's because of the -j REDIRECT rule. You don't want this (see the
> HOWTO). Just leave that rule out.

I have now removed -j REDIRECT  rule. But now the Director is not forwarding
the packet at all!.

However I can see the packet (syn) redirected by cisco to director hitting
the mangle rule.

With ip_forward = 0
tcpdump in director:
202.79.45.235.2151 > 212.58.240.120.80: S 2729683022:2729683022(0) win 64240
<mss 1460,nop,nop,sackOK>
202.79.45.235.2151 > 212.58.240.120.80: S 2729683022:2729683022(0) win 64240
<mss 1460,nop,nop,sackOK>
202.79.45.235.2151 > 212.58.240.120.80: S 2729683022:2729683022(0) win 64240
<mss 1460,nop,nop,sackOK>


with ip_forward = 1 I observerd Hundreds of  syn packets!!
By looking at the src and dst mac address I found that the packet was
looping between the cisco router and the director.

00:80:48:31:86:db  --> Direcor Interface
00:50:3e:f4:6d:e0   --> Cisco Router Interface

22:16:56.653006 00:50:3e:f4:6d:e0 > 00:80:48:31:86:db, ethertype IPv4
(0x0800), length 62: IP 202.79.45.235.2155 > 216.239.57.107.80: S
2858487429:2858487429(0) win 64240 <mss 1460,nop,nop,sackOK>
22:16:56.653015 00:80:48:31:86:db > 00:50:3e:f4:6d:e0, ethertype IPv4
(0x0800), length 62: IP 202.79.45.235.2155 > 216.239.57.107.80: S
2858487429:2858487429(0) win 64240 <mss 1460,nop,nop,sackOK>

How is this possible?? Instead of forwarding packet to Real Server
(202.79.45.241) the Director forwarded the packet to Router. Since the
source address is that of the client the route reforwarded the packet to the
Director and hece the loop.

regards,
Bikrant

>
> Joe
> --
> Joseph Mack NA3T EME(B,D), FM05lw North Carolina
> jmack (at) wm7d (dot) net - azimuthal equidistant map
> generator at http://www.wm7d.net/azproj.shtml
> Homepage http://www.austintek.com/ It's GNU/Linux!
> _______________________________________________
> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://www.in-addr.de/mailman/listinfo/lvs-users
>
>
>
> --
> No virus found in this incoming message.
> Checked by AVG Anti-Virus.
> Version: 7.0.323 / Virus Database: 267.7.10/25 - Release Date: 6/21/2005
>
>


<Prev in Thread] Current Thread [Next in Thread>