James.Scrymgeour at ultra-ccs
Aug 1, 2012, 3:07 AM
Post #1 of 1
(316 views)
Permalink
|
|
[lvs-users] LVS SNAT latest kernel/iptables
|
|
Hi,
I have been trawling around the internet and your archives to try and
find a solution to a problem getting SNAT to work with lvs, I have
managed to get LVS working with the below configuration, however it
doesn't touch the iptables POSTROUTING table for the SNAT to take
affect. To prove this I have used tcpdump and seen the syn messages
going to my real servers without being snatted. I have also enabled
iptables logging on post routing but not a single log message appears,
the PREROUTING table can see all packets though.
I have seen similar questions in the mailing list but not a conclusive
answer to get this working, I have also seen the guide on:
http://blog.loadbalancer.org/enabling-snat-in-lvs-xt_ipvs-and-iptables/
which is basically what I have followed with my own IP's/Ports, without
the kernel/iptables compiling.
my basic configuration is:
Fedora 16
Kernel - 3.1.0-7.fc16.i686 - confirmed the xt_ipvs module is there
Iptables - 1.4.12-2.fc16.i686
Ipvsadm - 1.26-3.fc16.i686
I have configured 2 ip's as:
192.168.20.1/24
192.168.10.1/24
And run the following commands to configure the lvs/snat
iptables -F -v
ipvsadm -A -t 192.168.20.1:2001 -s rr
ipvsadm -a -t 192.168.20.1:2001 -r 192.168.10.100:80 -m
iptables -t nat -A POSTROUTING -m ipvs --vaddr 192.168.20.1/24 --vport
2001 -j SNAT --to-source 192.168.10.1
iptables -t nat -L shows
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all - anywhere anywhere vaddr
192.168.20.0/24 vport 80 to:192.168.10.1
ipvsadm -ln displays
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 192.168.20.1:2001 rr
-> 192.168.10.100:2001 Masq 1 0 0
I have attempted doing this using unused IP addresses however it doesn't
accept any connections on the virtual servers.
TCPDUMP shows
192.168.20.1 receiving the syn
The syn being sent to 192.168.10.100 but the source still being
192.168.20.100
Thanks for your help
James
**********************************************************************
This e-mail from Ultra Electronics Limited and any attachments to it are confidential to
the intended recipient and may also be privileged. If you have received it in error please
notify the sender and delete it from your system. If you are not the intended recipient
you must not copy it or use it for any purpose nor disclose or distribute its contents to
any other person. All communications may be subject to interception or monitoring for
operational and/or security purposes. Please rely on your own virus checking as the sender
cannot accept any liability for any damage arising from any bug or virus infection.
Ultra Electronics Limited is a company registered in England and Wales, registration number
2830644. The address of its registered office is 417 Bridport Road, Greenford, Middlesex, UB6 8UA.
**********************************************************************
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/
LinuxVirtualServer.org mailing list - lvs-users [at] LinuxVirtualServer
Send requests to lvs-users-request [at] LinuxVirtualServer
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
|
