Re: [lvs-users] postfix problem - lost connection after CONNECT

To:	misch@xxxxxxxxxxxxxxxxx
Subject:	Re: [lvs-users] postfix problem - lost connection after CONNECT
Cc:	"LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>, Temuri Doghonadze <temuri.doghonadze@xxxxxxxxx>
From:	George Machitidze <giomac@xxxxxxxxx>
Date:	Wed, 29 Sep 2010 23:28:51 +0400

Thanks Michael

Is this applicable for our LVS server if we are trying to connect *to the* *VIP
of this LVS server* *from* the *LVS server* itself and there will be no need
to change our rules, just an upgrade of kernel?

Where can we find the patch for kernel? I don't see any changes in mainline
*2.6.36-rc6 :(*

Currently we use kernel-2.6.34.7-56.fc13.x86_64 (Fedora) with generic
patches, we can ask Fedora to include them as fix before 3.6.36 will be
included (probably FC14, ~1 month left)

On Wed, Sep 29, 2010 at 7:33 PM, Michael Schwartzkopff <
misch@xxxxxxxxxxxxxxxxx> wrote:

> On Friday 24 September 2010 18:34:23 you wrote:
> > Guten tag Michael! :)
> >
> > So, what we have and where is the problem:
> >
> > We've got LVS-NAT balancer (hostname "lba1a") with two real interfaces
> and
> > it is running postfix on localhost, let's take example globally-available
> *
> > VIP* 123.123.123.123 on one of interfaces, here is what we have when
> > iptables is on:
> >
> >
> > [root@lba1a ~]# telnet 123.123.123.123 25
> >
> > Trying 123.123.123.123...
> >
> > telnet: connect to address 77.92.229.53: Connection timed out
> >
> > [root@lba1a ~]# telnet 123.123.123.123 25
> >
> > Trying 123.123.123.123...
> >
> > Connected to 123.123.123.123.
> >
> > Escape character is '^]'.
> >
> > 220 123.123.123.123 ESMTP test server
> >
> > ^]
> >
> > telnet> Connection closed.
> >
> > [root@lba1a ~]# telnet 123.123.123.123 25
> >
> > Trying 123.123.123.123...
> >
> > telnet: connect to address 123.123.123.123: Connection timed out
> >
> > [root@lba1a ~]# telnet 123.123.123.123 25
> >
> > Trying 123.123.123.123...
> >
> >
> > this VIP in our case is eth0:1, FC13 x86-64, had same with FC11, FC12
> >
> > [root@lba1a ~]# iptables -L -n
> >
> > Chain INPUT (policy ACCEPT)
> >
> > target     prot opt source               destination
> >
> > ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
> >
> > ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state
> > RELATED,ESTABLISHED
> >
> > ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80
> > state NEW
> >
> > ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22
> > state NEW
> >
> > ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:25
> > state NEW
> >
> > ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           helper
> match
> > "ftp"
> >
> > ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0
> >
> > ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
> dpt:3128
> > state NEW
> >
> > ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:123
> >
> > ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:443
> > state NEW
> >
> > ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:21
> > state NEW
> >
> > ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW
> tcp
> > dpt:3636
> >
> > ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW
> tcp
> > dpt:10000
> >
> > REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with
> > icmp-port-unreachable
> >
> >
> > Chain FORWARD (policy ACCEPT)
> >
> > target     prot opt source               destination
> >
> >
> > Chain OUTPUT (policy ACCEPT)
> >
> > target     prot opt source               destination
> >
> >
> > [root@lba1a ~]# iptables -L -n -t mangle
> >
> > Chain PREROUTING (policy ACCEPT)
> >
> > target     prot opt source               destination
> >
> > MARK       tcp  --  0.0.0.0/0            123.123.123.123        tcp
> dpt:21
> > MARK set 0x15
> >
> > MARK       tcp  --  0.0.0.0/0            123.123.123.123        tcp
> > dpts:1024:65535 MARK set 0x15
> >
> >
> > Chain INPUT (policy ACCEPT)
> >
> > target     prot opt source               destination
> >
> >
> > Chain FORWARD (policy ACCEPT)
> >
> > target     prot opt source               destination
> >
> >
> > Chain OUTPUT (policy ACCEPT)
> >
> > target     prot opt source               destination
> >
> >
> > Chain POSTROUTING (policy ACCEPT)
> >
> > target     prot opt source               destination
> >
> >
> >
> > [root@lba1a ~]# iptables -L -n -t nat
> >
> > Chain PREROUTING (policy ACCEPT)
> >
> > target     prot opt source               destination
> >
> >
> > Chain POSTROUTING (policy ACCEPT)
> >
> > target     prot opt source               destination
> >
> > ACCEPT     all  --  10.1.0.0/24          10.1.0.0/24
> >
> > MASQUERADE  all  --  10.1.0.0/24          0.0.0.0/0
> >
> >
> > Chain OUTPUT (policy ACCEPT)
> >
> > target     prot opt source               destination
> >
> >
> > [root@lba1a ~]# ipvsadm --list -n
> > IP Virtual Server version 1.2.1 (size=4096)
> > Prot LocalAddress:Port Scheduler Flags
> >   -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
> > TCP  123.123.123.123:25 wlc persistent 3600
> >   -> 127.0.0.1:25                 Local   50     0          1
> > TCP  12.123.123.123:80 wlc persistent 3600
> >   -> 10.1.0.3:80                  Masq    50     37         319
> >   -> 10.1.0.5:80                  Masq    50     39         120
> > FWM  21 wlc
> >   -> 10.1.0.3:21                  Masq    10     0          1
> >   -> 10.1.0.5:21                  Masq    10     0          0
> >   -> 127.0.0.1:21                 Local   10     0          0
> >
> >
> > We tried with LVS redirect to localhost and without... Postfix is working
> > fine, there must be a problem somewhere at iptables/lvs
>
> Hi,
>
> there is a problem with netfilter NAT interfering with ipvs NAT. This
> Problem
> was only solved recently. So for now DO NOT mix both NATs.
>
> See:
> http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-HOWTO.non-
> modified_realservers.html
>
> This feature is only implemented in kernle 2.6.36. So please be patient.
> Sorry.
>
> Greetings to Tbilisi!
>
>
> --
> Dr. Michael Schwartzkopff
> Guardinistr. 63
> 81375 München
>
> Tel: (0163) 172 50 98
>



-- 
Best regards,
George Machitidze
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

<Prev in Thread]	Current Thread	[Next in Thread>
[lvs-users] postfix problem - lost connection after CONNECT, თემური დოღონაძე Re: [lvs-users] postfix problem - lost connection after CONNECT, Michael Schwartzkopff Re: [lvs-users] postfix problem - lost connection after CONNECT, Michael Schwartzkopff Re: [lvs-users] postfix problem - lost connection after CONNECT, George Machitidze Re: [lvs-users] postfix problem - lost connection after CONNECT, George Machitidze Message not available Re: [lvs-users] postfix problem - lost connection after CONNECT, George Machitidze <= Re: [lvs-users] postfix problem - lost connection after CONNECT, Michael Schwartzkopff

Previous by Date:	Re: [lvs-users] Source Hashing (Again), Malcolm Turnbull
Next by Date:	Re: [lvs-users] postfix problem - lost connection after CONNECT, Michael Schwartzkopff
Previous by Thread:	Re: [lvs-users] postfix problem - lost connection after CONNECT, George Machitidze
Next by Thread:	Re: [lvs-users] postfix problem - lost connection after CONNECT, Michael Schwartzkopff
Indexes:	[Date] [Thread] [Top] [All Lists]