|
Hi Paulo,
My use of LVS is for simple HTTP(S) load balancing. My realservers each have
a single non-routable IPs (10.0.0.x).
I have no need to make my realservers publicly accessible so non-routable
RIPs are fine for me.
The clients sends their request to VIP and gets the response from VIP (only
option since my RIPs are non-routable).
I use the SNAT iptables rule so that my realservers can make unsolicited
connections to the outside world (package updates, remote syslog, backups
etc). The source IP for these outbound connections is the VIP.
Please could you explain what high-level problem you are trying to solve and
I'll see if I can help?
Regards,
Chris
-----Original Message-----
From: lvs-users-bounces@xxxxxxxxxxxxxxxxxxxxxx
[mailto:lvs-users-bounces@xxxxxxxxxxxxxxxxxxxxxx] On Behalf Of Paulo F.
Andrade
Sent: 11 July 2006 17:23
To: LinuxVirtualServer.org users mailing list.
Subject: Re: LVS-NAT + SNAT is it impossible?
That's not quite what i'm looking for.
What I want is the following:
- for inbound connections i want packets with CIP->VIP translate to
DIP->RIP
- for outbound connections (the responses from the real servers)
packets with RIP->DIP translate to VIP->CIP
LVS-NAT only does DNAT, meaning CIP->VIP changes to CIP->RIP and the
response from RIP->CIP to VIP->CIP.
The problem is that after LVS changes the VIP to RIP for inbound
connections, it seems that packets don't traverse the POSTROUTING
chain to get SNAT'ed.
Is there a workaround for this?
Paulo F. Andrade 52439@IST
mailto: pfca@xxxxxxxxxxxxxxx
On 2006/07/11, at 16:58, Chris Newland wrote:
> Hi Paulo,
>
> I use LVS-NAT and SNAT by using the following iptales rule:
>
> iptables -t nat -A POSTROUTING \
> -s 10.0.0.0/255.255.255.0 -o eth0 \
> -j SNAT \
> --to-source x.x.x.x <public IP of your director>
>
> My realservers only have non-routable IP addresses (10.0.0.*)
>
> The realservers can all connect to servers on the internet and when
> they do,
> the IP source address is that of the director.
>
> Is this what you are looking for?
>
> Regards,
>
> Chris
>
> -----Original Message-----
> From: lvs-users-bounces@xxxxxxxxxxxxxxxxxxxxxx
> [mailto:lvs-users-bounces@xxxxxxxxxxxxxxxxxxxxxx] On Behalf Of
> Paulo F.
> Andrade
> Sent: 11 July 2006 15:55
> To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Subject: LVS-NAT + SNAT is it impossible?
>
> Hi,
>
> I'm currently testing some solution on load balancing servers on a
> different network than the directors.
> The obvious solution would be to use LVS-TUN, but I can't change the
> routes on the router in the real servers network to accept packets
> with source VIP. A solution to this would be to tunnel back the
> packets to the director, but then I have the martian packets
> problem...
>
> No wanting to path the kernel, I came up with this solution:
> - put secondary addresses of type 192.168.0.xxx on the real servers.
> - use LVS-NAT to balance connections to those ip addresses
> - construct a two way tunnel (using iproute2) based on the
> destination ip addresses
>
> Surprisingly this works, but it's a little to complex for my liking :)
>
> A better and simpler solution would be to use LVS-NAT and then SNAT
> in the POSTROUTING, but according to numerous sources (LVS HOWTO,
> this mailling lists archive...) this is not possible because LVS-
> NAT'ed packets don't traverse the POSTROUTING chain.
>
> Is it impossible to SNAT packets in an LVS-NAT setup?
>
> PS: I also found this on the LVS HOWTO (http://www.austintek.com/LVS/
> LVS-HOWTO/HOWTO/LVS-HOWTO.LVS-NAT.html#lvs_net_extending):
>
> "Tao Zhao taozhao (at) cs (dot) nyu (dot) edu 01 May 2002 LVS-NAT
> assumes that all servers are behind the director, so the director
> only need to change the destination IP when a request comes in and
> forward that to the scheduled realserver. When the reply packets go
> through the director it will change the source IP. This limits the
> deployment of LVS using NAT: the director must be the outgoing
> gateway for all servers.
> I am wondering if I can change the code so that both source and
> destinamtion IPs are changed in both ways. For example, CIP: client
> IP; DIP: director IP; SIP: server IP (public IPs);
>
> Client->Director->Server: address pair (CIP, DIP) is changed to (DIP,
> SIP)
> Server->Director->Client: address pair (SIP, DIP) is changed to (DIP,
> CIP).
>
>
> Lars
>
> Not very efficient; but this can actually already be done by using
> the port-forwarding feature AFAIK, or by a userspace application
> level gateway. "
>
> How does port forwarding enables me to do this? And userspace
> application is he talking about?
>
> Thank you for your time and sorry for the long e-mail!
>
> Paulo F. Andrade 52439@IST
> mailto: pfca@xxxxxxxxxxxxxxx
>
>
> _______________________________________________
> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://www.in-addr.de/mailman/listinfo/lvs-users
>
>
>
> _______________________________________________
> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://www.in-addr.de/mailman/listinfo/lvs-users
|
