Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Linux Virtual Server: Users

[lvs-users] IPVSADM/IPTables question

  

 
Linux Virtual Server users RSS feed   Index | Next | Previous | View Threaded


gary at primeexalia

Sep 12, 2007, 10:05 AM

Post #1 of 13 (1034 views)
Permalink
[lvs-users] IPVSADM/IPTables question
I need to put together a firewall for a site that will also have a need for ipvsadm services running with it. Our original idea was to forward several of the external IP's into a second box, behind the wall, running ipvsadm.

When rethinking about the problem, we thought that we might be able to just run iptables and ipvsadm on the same box. I recall from an issue I had a couple years back that this might not be possible. So I'm checking to see if it is and if so, what I should expect.

Here is a breif overview of the network. My understanding is that for iptables, I would be using the IN path, instead of forward. The example is simplified. We use fairly restrictive firewalls as well, just trying to work through a sample.

Externally we have 6 public IP's. We'll say 1.1.1.0/29, internally we have 10.0.0.0/24.

* Firewall would be 1.1.1.2 on eth0
* Firewall would also have aliases for 1.1.1.3, 1.1.1.4, and 1.1.1.5 on eth0
* Firewall has internal address 10.0.0.1/24 on eth1
* Firewall has port forwarding set

* Real Server 1 has internal address of 10.0.0.5/25 on eth0
* Real Server 1 has external address of 1.1.1.3/32 on lo

* Real Server 2 has internal address of 10.0.0.6/25 on eth0
* Real Server 2 has external address of 1.1.1.3/32 on lo

* Real Server 3 has internal address of 10.0.0.7/25 on eth0
* Real Server 3 has external address of 1.1.1.3/32 on lo

ipvsadm rules would look like this:
-A -t 1.1.1.3:80 -s wlc
-a -t 1.1.1.3:80 -r 10.0.0.5 -g -w 100
-a -t 1.1.1.3:80 -r 10.0.0.6 -g -w 100
-a -t 1.1.1.3:80 -r 10.0.0.7 -g -w 100

iptables would have this:

-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

Does this sound reasonable? Will it work? Is there anything that I should worry about?



_______________________________________________
LinuxVirtualServer.org mailing list - lvs-users [at] LinuxVirtualServer
Send requests to lvs-users-request [at] LinuxVirtualServer
or go to http://lists.graemef.net/mailman/listinfo/lvs-users


jmack at wm7d

Sep 12, 2007, 10:25 AM

Post #2 of 13 (999 views)
Permalink
Re: [lvs-users] IPVSADM/IPTables question [In reply to]
On Wed, 12 Sep 2007, Gary W. Smith wrote:

> I need to put together a firewall for a site that will
> also have a need for ipvsadm services running with it.
> Our original idea was to forward several of the external
> IP's into a second box, behind the wall, running ipvsadm.

I assume you mean the box is a director.

> When rethinking about the problem, we thought that we
> might be able to just run iptables and ipvsadm on the same
> box. I recall from an issue I had a couple years back
> that this might not be possible. So I'm checking to see
> if it is and if so, what I should expect.

sometimes it works OK and sometimes it doesn't.


> * Firewall would be 1.1.1.2 on eth0
> * Firewall would also have aliases for 1.1.1.3, 1.1.1.4, and 1.1.1.5 on eth0

use secondary IPs not aliases.

> iptables would have this:
>
> -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

accept nic:VIP:port, all else reject

you don't want people connecting from the outside world to
anything but the VIP:port

Joe

--
Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) wm7d (dot) net - azimuthal equidistant map
generator at http://www.wm7d.net/azproj.shtml
Homepage http://www.austintek.com/ It's GNU/Linux!

_______________________________________________
LinuxVirtualServer.org mailing list - lvs-users [at] LinuxVirtualServer
Send requests to lvs-users-request [at] LinuxVirtualServer
or go to http://lists.graemef.net/mailman/listinfo/lvs-users


gary at primeexalia

Sep 12, 2007, 10:38 AM

Post #3 of 13 (1003 views)
Permalink
Re: [lvs-users] IPVSADM/IPTables question [In reply to]
> > IP's into a second box, behind the wall, running ipvsadm.
>
> I assume you mean the box is a director.

Yes, my terminology is less than normal today,

> > if it is and if so, what I should expect.
>
> sometimes it works OK and sometimes it doesn't.

So is this something you would recommend we explore, or just go back to
using a dual server system? When it does work, does it work reliably or
does it sometimes fail?

> > * Firewall would be 1.1.1.2 on eth0
> > * Firewall would also have aliases for 1.1.1.3, 1.1.1.4, and 1.1.1.5
on
> eth0
>
> use secondary IPs not aliases.

Sorry, again terminology, but then again, let me ask the question. We
add additiona IP's in to /etc/sysconfig/network-scripts/ifcfg-eth:<id>.
Is that considered secondary or alias?

Or should we be using ip addr add?

>
> > iptables would have this:
> >
> > -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
>
> accept nic:VIP:port, all else reject
>

We reject everything to begin with. I was wanted to make sure I was on
the right track. I still assume that I want to use IN and not FORWARD
(at least at this point) as the traffic is technically coming into the
firewall).

BTW, thanks for the quick response.

Gary

_______________________________________________
LinuxVirtualServer.org mailing list - lvs-users [at] LinuxVirtualServer
Send requests to lvs-users-request [at] LinuxVirtualServer
or go to http://lists.graemef.net/mailman/listinfo/lvs-users


jmack at wm7d

Sep 12, 2007, 11:04 AM

Post #4 of 13 (1006 views)
Permalink
Re: [lvs-users] IPVSADM/IPTables question [In reply to]
On Wed, 12 Sep 2007, Gary W. Smith wrote:

>> sometimes it works OK and sometimes it doesn't.
>
> So is this something you would recommend we explore, or just go back to
> using a dual server system? When it does work, does it work reliably or
> does it sometimes fail?

the problem is collisions between iptables rules and what
ip_vs() does with the packets. It's written up in the HOWTO.
Just keep adding rules. If it works once, it will work
forever.

>> use secondary IPs not aliases.
>
> Sorry, again terminology, but then again, let me ask the question. We
> add additiona IP's in to /etc/sysconfig/network-scripts/ifcfg-eth:<id>.
> Is that considered secondary or alias?

I don't use any of these market enhanced versions of
ethernet configuring tools. I know other people are happy
with them.

> Or should we be using ip addr add?

whatever you get to work first.

> We reject everything to begin with. I was wanted to make sure I was on
> the right track. I still assume that I want to use IN and not FORWARD
> (at least at this point) as the traffic is technically coming into the
> firewall).

IN (PREROUTING) is fine

Joe

--
Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) wm7d (dot) net - azimuthal equidistant map
generator at http://www.wm7d.net/azproj.shtml
Homepage http://www.austintek.com/ It's GNU/Linux!

_______________________________________________
LinuxVirtualServer.org mailing list - lvs-users [at] LinuxVirtualServer
Send requests to lvs-users-request [at] LinuxVirtualServer
or go to http://lists.graemef.net/mailman/listinfo/lvs-users


gary at primeexalia

Sep 12, 2007, 11:17 AM

Post #5 of 13 (1002 views)
Permalink
Re: [lvs-users] IPVSADM/IPTables question [In reply to]
Thanks for the info. I'm going to try to setup a test environment tonight or tomorrow and play around with it. I just didn't want to waste the time if it was something that wouldn't work in the long run.

Gary

________________________________

From: lvs-users-bounces [at] linuxvirtualserver on behalf of Joseph Mack NA3T
Sent: Wed 9/12/2007 11:04 AM
To: LinuxVirtualServer.org users mailing list.
Subject: Re: [lvs-users] IPVSADM/IPTables question



On Wed, 12 Sep 2007, Gary W. Smith wrote:

>> sometimes it works OK and sometimes it doesn't.
>
> So is this something you would recommend we explore, or just go back to
> using a dual server system? When it does work, does it work reliably or
> does it sometimes fail?

the problem is collisions between iptables rules and what
ip_vs() does with the packets. It's written up in the HOWTO.
Just keep adding rules. If it works once, it will work
forever.

>> use secondary IPs not aliases.
>
> Sorry, again terminology, but then again, let me ask the question. We
> add additiona IP's in to /etc/sysconfig/network-scripts/ifcfg-eth:<id>.
> Is that considered secondary or alias?

I don't use any of these market enhanced versions of
ethernet configuring tools. I know other people are happy
with them.

> Or should we be using ip addr add?

whatever you get to work first.

> We reject everything to begin with. I was wanted to make sure I was on
> the right track. I still assume that I want to use IN and not FORWARD
> (at least at this point) as the traffic is technically coming into the
> firewall).

IN (PREROUTING) is fine

Joe

--
Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) wm7d (dot) net - azimuthal equidistant map
generator at http://www.wm7d.net/azproj.shtml
Homepage http://www.austintek.com/ It's GNU/Linux!

_______________________________________________
LinuxVirtualServer.org mailing list - lvs-users [at] LinuxVirtualServer
Send requests to lvs-users-request [at] LinuxVirtualServer
or go to http://lists.graemef.net/mailman/listinfo/lvs-users


_______________________________________________
LinuxVirtualServer.org mailing list - lvs-users [at] LinuxVirtualServer
Send requests to lvs-users-request [at] LinuxVirtualServer
or go to http://lists.graemef.net/mailman/listinfo/lvs-users


gary at primeexalia

Sep 13, 2007, 8:03 AM

Post #6 of 13 (997 views)
Permalink
Re: [lvs-users] IPVSADM/IPTables question [In reply to]
Joe,

I have included a configuration from my test environment below. I've had mixes success and am probably missing something simple. I can reliably hit the LVS machines from anything inside the test network, but anything outside the firewall box (which is currently wide open) doesn't work. Below are all of th configuration's including actual IP's.

I'm unsure if I'm running the routes right. One thing I read said delete the local routes and to force everything out the firewall. Somewhere I read that I should use ipip (someones are all google notes, with no response to if it worked or not).

I've also tried using -m instead of -g, but that didn't seem to make a difference.

Can you take a look at the config and let me know if something stands out as broken?

Thanks,

Gary

Test configuration:

4 boxes, configured as follows:

Box 1, firewall/director.
[root [at] hsdevfiw0 sysconfig]# ip addr
1: lo: <LOOPBACK,UP,10000> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:40:05:86:c8:7f brd ff:ff:ff:ff:ff:ff
inet 10.10.17.254/24 brd 10.10.17.255 scope global eth0
inet6 fe80::240:5ff:fe86:c87f/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:02:a5:59:42:b2 brd ff:ff:ff:ff:ff:ff
inet 10.0.16.44/24 brd 10.0.16.255 scope global eth1
inet 10.0.16.45/24 scope global secondary eth1
inet6 fe80::202:a5ff:fe59:42b2/64 scope link
valid_lft forever preferred_lft forever

[root [at] hsdevfiw0 sysconfig]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.16.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
10.10.17.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
0.0.0.0 10.0.16.254 0.0.0.0 UG 0 0 0 eth1

[root [at] hsdevfiw0 sysconfig]# ipvsadm
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 10.0.16.45:http wlc
-> 10.10.17.6:http Route 100 0 0
-> 10.10.17.5:http Route 100 0 0

[root [at] hsdevfiw0 sysconfig]# iptables-save
# Generated by iptables-save v1.3.1 on Thu Sep 13 06:29:46 2007
*nat
:PREROUTING ACCEPT [1302:307491]
:POSTROUTING ACCEPT [6:324]
:OUTPUT ACCEPT [32:1946]
-A PREROUTING -i eth1 -p tcp -m tcp --dport 20005 -j DNAT --to-destination 10.10.17.5:22
-A PREROUTING -i eth1 -p tcp -m tcp --dport 20006 -j DNAT --to-destination 10.10.17.6:22
-A PREROUTING -i eth1 -p tcp -m tcp --dport 20007 -j DNAT --to-destination 10.10.17.7:22
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
# Completed on Thu Sep 13 06:29:46 2007

[root [at] hsdevfiw0 sysconfig]# grep forward /etc/sysctl.conf
# Controls IP packet forwarding
net.ipv4.ip_forward = 1



Box 2, test web server A
[root [at] hsdevweb0 ~]# ip addr
1: lo: <LOOPBACK,UP,10000> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet 10.0.16.45/32 scope global lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:0d:88:3d:c5:82 brd ff:ff:ff:ff:ff:ff
inet 10.10.17.5/24 brd 10.10.17.255 scope global eth0
inet6 fe80::20d:88ff:fe3d:c582/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000
link/ether 00:02:a5:03:de:d5 brd ff:ff:ff:ff:ff:ff

[root [at] hsdevweb0 ~]# grep arp /etc/sysctl.conf
net.ipv4.conf.lo.arp_ignore = 1
net.ipv4.conf.lo.arp_announce = 2
net.ipv4.conf.eth0.arp_ignore = 1
net.ipv4.conf.eth0.arp_announce = 2
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2

[root [at] hsdevweb0 ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.10.17.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 10.10.17.254 0.0.0.0 UG 0 0 0 eth0



Box 3, test web server B
[root [at] hsdevweb0 ~]# ip addr
1: lo: <LOOPBACK,UP,10000> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet 10.0.16.45/32 scope global lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:40:05:7d:98:ca brd ff:ff:ff:ff:ff:ff
inet 10.10.17.6/24 brd 10.10.17.255 scope global eth0
inet6 fe80::240:5ff:fe7d:98ca/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000
link/ether 00:02:a5:0f:64:54 brd ff:ff:ff:ff:ff:ff

[root [at] hsdevweb0 ~]# grep arp /etc/sysctl.conf
net.ipv4.conf.lo.arp_ignore = 1
net.ipv4.conf.lo.arp_announce = 2
net.ipv4.conf.eth0.arp_ignore = 1
net.ipv4.conf.eth0.arp_announce = 2
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2

[root [at] hsdevweb0 ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.10.17.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 10.10.17.254 0.0.0.0 UG 0 0 0 eth0


Box 4, test box on the inside of the dev firewall
[root [at] hsdevmta0 ~]# ip addr
1: lo: <LOOPBACK,UP,10000> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:0d:88:46:1b:22 brd ff:ff:ff:ff:ff:ff
inet 10.10.17.7/24 brd 10.10.17.255 scope global eth0
inet6 fe80::20d:88ff:fe46:1b22/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000
link/ether 00:02:a5:1f:85:ad brd ff:ff:ff:ff:ff:ff

[root [at] hsdevmta0 ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.10.17.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 10.10.17.254 0.0.0.0 UG 0 0 0 eth0

[root [at] hsdevmta0 ~]# wget 10.0.16.44
--04:02:54-- http://10.0.16.44/ <http://10.0.16.44/>
=> `index.html'
Connecting to 10.0.16.44:80... failed: Connection refused.

[root [at] hsdevmta0 ~]# wget 10.0.16.45 <== Expected response, HTTP answered
--04:02:56-- http://10.0.16.45/ <http://10.0.16.45/>
=> `index.html'
Connecting to 10.0.16.45:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
04:02:57 ERROR 403: Forbidden.

Box 4, text box on the outside of the dev firewall
[root [at] soho0 ~]# ip addr
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:16:ff:aa:00:01 brd ff:ff:ff:ff:ff:ff
inet 10.0.16.171/24 brd 10.0.16.255 scope global eth0
inet6 fe80::216:ffff:feaa:1/64 scope link
valid_lft forever preferred_lft forever
3: sit0: <NOARP> mtu 1480 qdisc noop
link/sit 0.0.0.0 brd 0.0.0.0
[root [at] soho0 ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.16.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 10.0.16.254 0.0.0.0 UG 0 0 0 eth0
[root [at] soho0 ~]# ping 10.0.16.45 -c 1
PING 10.0.16.45 (10.0.16.45) 56(84) bytes of data.
64 bytes from 10.0.16.45: icmp_seq=0 ttl=64 time=0.281 ms

--- 10.0.16.45 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.281/0.281/0.281/0.000 ms, pipe 2
[root [at] soho0 ~]# telnet 10.0.16.45 80
Trying 10.0.16.45...
telnet: connect to address 10.0.16.45: Connection timed out





_______________________________________________
LinuxVirtualServer.org mailing list - lvs-users [at] LinuxVirtualServer
Send requests to lvs-users-request [at] LinuxVirtualServer
or go to http://lists.graemef.net/mailman/listinfo/lvs-users


gary at primeexalia

Sep 13, 2007, 8:04 AM

Post #7 of 13 (996 views)
Permalink
Re: [lvs-users] IPVSADM/IPTables question [In reply to]
Correction, when I switch from -g to -m, external works, internal fails (lack of sleep from setting up environment all night :)).


________________________________

From: lvs-users-bounces [at] linuxvirtualserver on behalf of Gary W. Smith
Sent: Thu 9/13/2007 8:03 AM
To: LinuxVirtualServer.org users mailing list.; LinuxVirtualServer.org users mailing list.
Subject: Re: [lvs-users] IPVSADM/IPTables question



Joe,

I have included a configuration from my test environment below. I've had mixes success and am probably missing something simple. I can reliably hit the LVS machines from anything inside the test network, but anything outside the firewall box (which is currently wide open) doesn't work. Below are all of th configuration's including actual IP's.

I'm unsure if I'm running the routes right. One thing I read said delete the local routes and to force everything out the firewall. Somewhere I read that I should use ipip (someones are all google notes, with no response to if it worked or not).

I've also tried using -m instead of -g, but that didn't seem to make a difference.

Can you take a look at the config and let me know if something stands out as broken?

Thanks,

Gary

Test configuration:

4 boxes, configured as follows:

Box 1, firewall/director.
[root [at] hsdevfiw0 sysconfig]# ip addr
1: lo: <LOOPBACK,UP,10000> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:40:05:86:c8:7f brd ff:ff:ff:ff:ff:ff
inet 10.10.17.254/24 brd 10.10.17.255 scope global eth0
inet6 fe80::240:5ff:fe86:c87f/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:02:a5:59:42:b2 brd ff:ff:ff:ff:ff:ff
inet 10.0.16.44/24 brd 10.0.16.255 scope global eth1
inet 10.0.16.45/24 scope global secondary eth1
inet6 fe80::202:a5ff:fe59:42b2/64 scope link
valid_lft forever preferred_lft forever

[root [at] hsdevfiw0 sysconfig]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.16.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
10.10.17.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
0.0.0.0 10.0.16.254 0.0.0.0 UG 0 0 0 eth1

[root [at] hsdevfiw0 sysconfig]# ipvsadm
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 10.0.16.45:http wlc
-> 10.10.17.6:http Route 100 0 0
-> 10.10.17.5:http Route 100 0 0

[root [at] hsdevfiw0 sysconfig]# iptables-save
# Generated by iptables-save v1.3.1 on Thu Sep 13 06:29:46 2007
*nat
:PREROUTING ACCEPT [1302:307491]
:POSTROUTING ACCEPT [6:324]
:OUTPUT ACCEPT [32:1946]
-A PREROUTING -i eth1 -p tcp -m tcp --dport 20005 -j DNAT --to-destination 10.10.17.5:22
-A PREROUTING -i eth1 -p tcp -m tcp --dport 20006 -j DNAT --to-destination 10.10.17.6:22
-A PREROUTING -i eth1 -p tcp -m tcp --dport 20007 -j DNAT --to-destination 10.10.17.7:22
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
# Completed on Thu Sep 13 06:29:46 2007

[root [at] hsdevfiw0 sysconfig]# grep forward /etc/sysctl.conf
# Controls IP packet forwarding
net.ipv4.ip_forward = 1



Box 2, test web server A
[root [at] hsdevweb0 ~]# ip addr
1: lo: <LOOPBACK,UP,10000> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet 10.0.16.45/32 scope global lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:0d:88:3d:c5:82 brd ff:ff:ff:ff:ff:ff
inet 10.10.17.5/24 brd 10.10.17.255 scope global eth0
inet6 fe80::20d:88ff:fe3d:c582/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000
link/ether 00:02:a5:03:de:d5 brd ff:ff:ff:ff:ff:ff

[root [at] hsdevweb0 ~]# grep arp /etc/sysctl.conf
net.ipv4.conf.lo.arp_ignore = 1
net.ipv4.conf.lo.arp_announce = 2
net.ipv4.conf.eth0.arp_ignore = 1
net.ipv4.conf.eth0.arp_announce = 2
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2

[root [at] hsdevweb0 ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.10.17.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 10.10.17.254 0.0.0.0 UG 0 0 0 eth0



Box 3, test web server B
[root [at] hsdevweb0 ~]# ip addr
1: lo: <LOOPBACK,UP,10000> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet 10.0.16.45/32 scope global lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:40:05:7d:98:ca brd ff:ff:ff:ff:ff:ff
inet 10.10.17.6/24 brd 10.10.17.255 scope global eth0
inet6 fe80::240:5ff:fe7d:98ca/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000
link/ether 00:02:a5:0f:64:54 brd ff:ff:ff:ff:ff:ff

[root [at] hsdevweb0 ~]# grep arp /etc/sysctl.conf
net.ipv4.conf.lo.arp_ignore = 1
net.ipv4.conf.lo.arp_announce = 2
net.ipv4.conf.eth0.arp_ignore = 1
net.ipv4.conf.eth0.arp_announce = 2
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2

[root [at] hsdevweb0 ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.10.17.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 10.10.17.254 0.0.0.0 UG 0 0 0 eth0


Box 4, test box on the inside of the dev firewall
[root [at] hsdevmta0 ~]# ip addr
1: lo: <LOOPBACK,UP,10000> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:0d:88:46:1b:22 brd ff:ff:ff:ff:ff:ff
inet 10.10.17.7/24 brd 10.10.17.255 scope global eth0
inet6 fe80::20d:88ff:fe46:1b22/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000
link/ether 00:02:a5:1f:85:ad brd ff:ff:ff:ff:ff:ff

[root [at] hsdevmta0 ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.10.17.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 10.10.17.254 0.0.0.0 UG 0 0 0 eth0

[root [at] hsdevmta0 ~]# wget 10.0.16.44
--04:02:54-- http://10.0.16.44/ <http://10.0.16.44/>
=> `index.html'
Connecting to 10.0.16.44:80... failed: Connection refused.

[root [at] hsdevmta0 ~]# wget 10.0.16.45 <== Expected response, HTTP answered
--04:02:56-- http://10.0.16.45/ <http://10.0.16.45/>
=> `index.html'
Connecting to 10.0.16.45:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
04:02:57 ERROR 403: Forbidden.

Box 4, text box on the outside of the dev firewall
[root [at] soho0 ~]# ip addr
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:16:ff:aa:00:01 brd ff:ff:ff:ff:ff:ff
inet 10.0.16.171/24 brd 10.0.16.255 scope global eth0
inet6 fe80::216:ffff:feaa:1/64 scope link
valid_lft forever preferred_lft forever
3: sit0: <NOARP> mtu 1480 qdisc noop
link/sit 0.0.0.0 brd 0.0.0.0
[root [at] soho0 ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.16.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 10.0.16.254 0.0.0.0 UG 0 0 0 eth0
[root [at] soho0 ~]# ping 10.0.16.45 -c 1
PING 10.0.16.45 (10.0.16.45) 56(84) bytes of data.
64 bytes from 10.0.16.45: icmp_seq=0 ttl=64 time=0.281 ms

--- 10.0.16.45 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.281/0.281/0.281/0.000 ms, pipe 2
[root [at] soho0 ~]# telnet 10.0.16.45 80
Trying 10.0.16.45...
telnet: connect to address 10.0.16.45: Connection timed out





_______________________________________________
LinuxVirtualServer.org mailing list - lvs-users [at] LinuxVirtualServer
Send requests to lvs-users-request [at] LinuxVirtualServer
or go to http://lists.graemef.net/mailman/listinfo/lvs-users


_______________________________________________
LinuxVirtualServer.org mailing list - lvs-users [at] LinuxVirtualServer
Send requests to lvs-users-request [at] LinuxVirtualServer
or go to http://lists.graemef.net/mailman/listinfo/lvs-users


jmack at wm7d

Sep 13, 2007, 8:27 AM

Post #8 of 13 (998 views)
Permalink
Re: [lvs-users] IPVSADM/IPTables question [In reply to]
On Thu, 13 Sep 2007, Gary W. Smith wrote:

> Correction, when I switch from -g to -m, external works,
> internal fails (lack of sleep from setting up environment
> all night :)).
>
>
> ________________________________
>
> From: lvs-users-bounces [at] linuxvirtualserver on behalf of Gary W. Smith
> Sent: Thu 9/13/2007 8:03 AM
> To: LinuxVirtualServer.org users mailing list.; LinuxVirtualServer.org users mailing list.
> Subject: Re: [lvs-users] IPVSADM/IPTables question
>
>
>
> Joe,
>
> I have included a configuration from my test environment
> below. I've had mixes success and am probably missing
> something simple. I can reliably hit the LVS machines
> from anything inside the test network, but anything
> outside the firewall box (which is currently wide open)
> doesn't work. Below are all of th configuration's
> including actual IP's.

I have no idea what "reliably hit" and "doesn't work" mean.

> Can you take a look at the config and let me know if something stands out as broken?

I find the machines a lot more reliable at diagnosing a
script than me, sorry. I plunk away at it one rule at a
time.

Joe


--
Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) wm7d (dot) net - azimuthal equidistant map
generator at http://www.wm7d.net/azproj.shtml
Homepage http://www.austintek.com/ It's GNU/Linux!

_______________________________________________
LinuxVirtualServer.org mailing list - lvs-users [at] LinuxVirtualServer
Send requests to lvs-users-request [at] LinuxVirtualServer
or go to http://lists.graemef.net/mailman/listinfo/lvs-users


gary at primeexalia

Sep 13, 2007, 8:27 AM

Post #9 of 13 (994 views)
Permalink
Re: [lvs-users] IPVSADM/IPTables question [In reply to]
Joe,

I think I have it. I missed the part about deleting the local route when using masquerade. When I do that I can access it from both environments.

On both of the realservers, I ran "route del -net 10.10.17.0 netmask 255.255.255.0" and kept my rules with masquerade.

I can now see traffic in ipvsadm as expected.

[root [at] hsdevfiw0 ~]# ipvsadm -l -n --stats
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Conns InPkts OutPkts InBytes OutBytes
-> RemoteAddress:Port
TCP 10.0.16.45:80 120 629 616 64004 278061
-> 10.10.17.5:80 64 313 293 35578 55198
-> 10.10.17.6:80 56 316 323 28426 222863

One last question though, for local traffic, will this put much more of a load on the firewall? We do have other services that we will use LVS on but these are internal only traffic, which I assume we could do direct route but since we have dropped the local route, I assume these will loop back to the firewall for the first routing requests from the web servers, until the direct route is established.

Any ideas/thoughts/suggestions?

Gary

________________________________

From: lvs-users-bounces [at] linuxvirtualserver on behalf of Gary W. Smith
Sent: Thu 9/13/2007 8:03 AM
To: LinuxVirtualServer.org users mailing list.; LinuxVirtualServer.org users mailing list.
Subject: Re: [lvs-users] IPVSADM/IPTables question



Joe,

I have included a configuration from my test environment below. I've had mixes success and am probably missing something simple. I can reliably hit the LVS machines from anything inside the test network, but anything outside the firewall box (which is currently wide open) doesn't work. Below are all of th configuration's including actual IP's.

I'm unsure if I'm running the routes right. One thing I read said delete the local routes and to force everything out the firewall. Somewhere I read that I should use ipip (someones are all google notes, with no response to if it worked or not).

I've also tried using -m instead of -g, but that didn't seem to make a difference.

Can you take a look at the config and let me know if something stands out as broken?

Thanks,

Gary

Test configuration:

4 boxes, configured as follows:

Box 1, firewall/director.
[root [at] hsdevfiw0 sysconfig]# ip addr
1: lo: <LOOPBACK,UP,10000> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:40:05:86:c8:7f brd ff:ff:ff:ff:ff:ff
inet 10.10.17.254/24 brd 10.10.17.255 scope global eth0
inet6 fe80::240:5ff:fe86:c87f/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:02:a5:59:42:b2 brd ff:ff:ff:ff:ff:ff
inet 10.0.16.44/24 brd 10.0.16.255 scope global eth1
inet 10.0.16.45/24 scope global secondary eth1
inet6 fe80::202:a5ff:fe59:42b2/64 scope link
valid_lft forever preferred_lft forever

[root [at] hsdevfiw0 sysconfig]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.16.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
10.10.17.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
0.0.0.0 10.0.16.254 0.0.0.0 UG 0 0 0 eth1

[root [at] hsdevfiw0 sysconfig]# ipvsadm
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 10.0.16.45:http wlc
-> 10.10.17.6:http Route 100 0 0
-> 10.10.17.5:http Route 100 0 0

[root [at] hsdevfiw0 sysconfig]# iptables-save
# Generated by iptables-save v1.3.1 on Thu Sep 13 06:29:46 2007
*nat
:PREROUTING ACCEPT [1302:307491]
:POSTROUTING ACCEPT [6:324]
:OUTPUT ACCEPT [32:1946]
-A PREROUTING -i eth1 -p tcp -m tcp --dport 20005 -j DNAT --to-destination 10.10.17.5:22
-A PREROUTING -i eth1 -p tcp -m tcp --dport 20006 -j DNAT --to-destination 10.10.17.6:22
-A PREROUTING -i eth1 -p tcp -m tcp --dport 20007 -j DNAT --to-destination 10.10.17.7:22
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
# Completed on Thu Sep 13 06:29:46 2007

[root [at] hsdevfiw0 sysconfig]# grep forward /etc/sysctl.conf
# Controls IP packet forwarding
net.ipv4.ip_forward = 1



Box 2, test web server A
[root [at] hsdevweb0 ~]# ip addr
1: lo: <LOOPBACK,UP,10000> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet 10.0.16.45/32 scope global lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:0d:88:3d:c5:82 brd ff:ff:ff:ff:ff:ff
inet 10.10.17.5/24 brd 10.10.17.255 scope global eth0
inet6 fe80::20d:88ff:fe3d:c582/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000
link/ether 00:02:a5:03:de:d5 brd ff:ff:ff:ff:ff:ff

[root [at] hsdevweb0 ~]# grep arp /etc/sysctl.conf
net.ipv4.conf.lo.arp_ignore = 1
net.ipv4.conf.lo.arp_announce = 2
net.ipv4.conf.eth0.arp_ignore = 1
net.ipv4.conf.eth0.arp_announce = 2
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2

[root [at] hsdevweb0 ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.10.17.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 10.10.17.254 0.0.0.0 UG 0 0 0 eth0



Box 3, test web server B
[root [at] hsdevweb0 ~]# ip addr
1: lo: <LOOPBACK,UP,10000> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet 10.0.16.45/32 scope global lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:40:05:7d:98:ca brd ff:ff:ff:ff:ff:ff
inet 10.10.17.6/24 brd 10.10.17.255 scope global eth0
inet6 fe80::240:5ff:fe7d:98ca/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000
link/ether 00:02:a5:0f:64:54 brd ff:ff:ff:ff:ff:ff

[root [at] hsdevweb0 ~]# grep arp /etc/sysctl.conf
net.ipv4.conf.lo.arp_ignore = 1
net.ipv4.conf.lo.arp_announce = 2
net.ipv4.conf.eth0.arp_ignore = 1
net.ipv4.conf.eth0.arp_announce = 2
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2

[root [at] hsdevweb0 ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.10.17.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 10.10.17.254 0.0.0.0 UG 0 0 0 eth0


Box 4, test box on the inside of the dev firewall
[root [at] hsdevmta0 ~]# ip addr
1: lo: <LOOPBACK,UP,10000> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:0d:88:46:1b:22 brd ff:ff:ff:ff:ff:ff
inet 10.10.17.7/24 brd 10.10.17.255 scope global eth0
inet6 fe80::20d:88ff:fe46:1b22/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000
link/ether 00:02:a5:1f:85:ad brd ff:ff:ff:ff:ff:ff

[root [at] hsdevmta0 ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.10.17.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 10.10.17.254 0.0.0.0 UG 0 0 0 eth0

[root [at] hsdevmta0 ~]# wget 10.0.16.44
--04:02:54-- http://10.0.16.44/ <http://10.0.16.44/> <http://10.0.16.44/ <http://10.0.16.44/> >
=> `index.html'
Connecting to 10.0.16.44:80... failed: Connection refused.

[root [at] hsdevmta0 ~]# wget 10.0.16.45 <== Expected response, HTTP answered
--04:02:56-- http://10.0.16.45/ <http://10.0.16.45/> <http://10.0.16.45/ <http://10.0.16.45/> >
=> `index.html'
Connecting to 10.0.16.45:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
04:02:57 ERROR 403: Forbidden.

Box 4, text box on the outside of the dev firewall
[root [at] soho0 ~]# ip addr
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:16:ff:aa:00:01 brd ff:ff:ff:ff:ff:ff
inet 10.0.16.171/24 brd 10.0.16.255 scope global eth0
inet6 fe80::216:ffff:feaa:1/64 scope link
valid_lft forever preferred_lft forever
3: sit0: <NOARP> mtu 1480 qdisc noop
link/sit 0.0.0.0 brd 0.0.0.0
[root [at] soho0 ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.16.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 10.0.16.254 0.0.0.0 UG 0 0 0 eth0
[root [at] soho0 ~]# ping 10.0.16.45 -c 1
PING 10.0.16.45 (10.0.16.45) 56(84) bytes of data.
64 bytes from 10.0.16.45: icmp_seq=0 ttl=64 time=0.281 ms

--- 10.0.16.45 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.281/0.281/0.281/0.000 ms, pipe 2
[root [at] soho0 ~]# telnet 10.0.16.45 80
Trying 10.0.16.45...
telnet: connect to address 10.0.16.45: Connection timed out





_______________________________________________
LinuxVirtualServer.org mailing list - lvs-users [at] LinuxVirtualServer
Send requests to lvs-users-request [at] LinuxVirtualServer
or go to http://lists.graemef.net/mailman/listinfo/lvs-users <http://lists.graemef.net/mailman/listinfo/lvs-users>


jmack at wm7d

Sep 13, 2007, 10:31 AM

Post #10 of 13 (993 views)
Permalink
Re: [lvs-users] IPVSADM/IPTables question [In reply to]
On Thu, 13 Sep 2007, Gary W. Smith wrote:

> Joe, One last question though, for local traffic, will
> this put much more of a load on the firewall?

what's "this" ?

(You reposted your original posting below here. Please edit
out redundant material - thanks)


Joe

--
Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) wm7d (dot) net - azimuthal equidistant map
generator at http://www.wm7d.net/azproj.shtml
Homepage http://www.austintek.com/ It's GNU/Linux!

_______________________________________________
LinuxVirtualServer.org mailing list - lvs-users [at] LinuxVirtualServer
Send requests to lvs-users-request [at] LinuxVirtualServer
or go to http://lists.graemef.net/mailman/listinfo/lvs-users


gary at primeexalia

Sep 13, 2007, 10:41 AM

Post #11 of 13 (995 views)
Permalink
Re: [lvs-users] IPVSADM/IPTables question [In reply to]
Joe,

Sorry about the redundant posting. In reference to "this", I meant using the director for maquerading which was forcing the removal of the local route.

So to restate the question, hopefully a little more intelligently this time, given the fact that I'm masquerading the connetions through the director, which will then requires all of the real servers to lose their local route and depend on the firewall, what type of load will it put on the server that is housing the director?

We are putting the new firewall/director in place and I just wanted to make sure that it will be able to handle whatever load we through at it. Currently we have allocated a couple 1.8ghz boxes with 1gb ram but if we need more powerful machines, we'll get them.




_______________________________________________
LinuxVirtualServer.org mailing list - lvs-users [at] LinuxVirtualServer
Send requests to lvs-users-request [at] LinuxVirtualServer
or go to http://lists.graemef.net/mailman/listinfo/lvs-users


jmack at wm7d

Sep 13, 2007, 10:59 AM

Post #12 of 13 (993 views)
Permalink
Re: [lvs-users] IPVSADM/IPTables question [In reply to]
On Thu, 13 Sep 2007, Gary W. Smith wrote:

> We are putting the new firewall/director in place and I
> just wanted to make sure that it will be able to handle
> whatever load we through at it. Currently we have
> allocated a couple 1.8ghz boxes with 1gb ram but if we
> need more powerful machines, we'll get them.

you haven't told me the amount of traffic you'll be getting.

A 400MHz compute will saturate 100Mbps ethernet if that
helps

Joe

--
Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) wm7d (dot) net - azimuthal equidistant map
generator at http://www.wm7d.net/azproj.shtml
Homepage http://www.austintek.com/ It's GNU/Linux!

_______________________________________________
LinuxVirtualServer.org mailing list - lvs-users [at] LinuxVirtualServer
Send requests to lvs-users-request [at] LinuxVirtualServer
or go to http://lists.graemef.net/mailman/listinfo/lvs-users


gary at primeexalia

Sep 13, 2007, 11:16 AM

Post #13 of 13 (993 views)
Permalink
Re: [lvs-users] IPVSADM/IPTables question [In reply to]
Joe,

That does help. We don't expect to saturate a full 100mbps connection at this time. Currently we're doing about 5mbps right now in production, but we have a dual server system (netfilter on the firewall and director behind it). Internally we will be using 1gbit cards but I doubt that those will be saturared either, at this point in time.

I think that I have everything that I need now. I've currently documenting everything I did so I can retest and will be setting up the final network in a couple days (then several days of testing). Overall it appears to be working as desired.

Thanks for the help and information.

Gary

________________________________

From: lvs-users-bounces [at] linuxvirtualserver on behalf of Joseph Mack NA3T
Sent: Thu 9/13/2007 10:59 AM
To: LinuxVirtualServer.org users mailing list.
Subject: Re: [lvs-users] IPVSADM/IPTables question



you haven't told me the amount of traffic you'll be getting.

A 400MHz compute will saturate 100Mbps ethernet if that
helps

Joe



_______________________________________________
LinuxVirtualServer.org mailing list - lvs-users [at] LinuxVirtualServer
Send requests to lvs-users-request [at] LinuxVirtualServer
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

Linux Virtual Server users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.