kl at vsen
Aug 13, 2012, 4:44 AM
Post #3 of 8
(512 views)
Permalink
|
|
Re: [lvs-users] lvs masq response package not getting picked up
[In reply to]
|
|
I enabled logging in iptables for both INPUT and FORWARD, and got this
in logs:
IN=eth2 OUT=eth2 SRC=Y.Y.Y.105 DST=MyInternetClientIP LEN=60 TOS=0x00
PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=80 DPT=51617 WINDOW=5792 RES=0x00
ACK SYN URGP=0
The odd thing, is that eth2 is internal and eth3 is internet. That
package should have been destined for eth3 (seeing as that's where it
came from originally) - but perhaps that some LVS detail?
Klavs Klavsen said the following on 08/13/2012 01:20 PM:
> Hi,
>
> I've setup a server, with public IPs (currently only one though) on one
> interface, and an internal ip on another interface - where the backend
> webservers are hosted.
>
> My problem is that I see the request package (going to X.X.X.167 port
> 80) go through to the backend fine (the Syn package) and I see the
> backend (which has the LVS server as default gw) response when I tcpdump
> on the internal interface of the LVS server.
>
> The response however, is newer relayed on the LVS servers external
> interface :(
>
> I hope you can help me debug, or suggest things I could do, to debug.
>
> My setup is as follows:
>
> I've setup ipvs in kernel, using ldirectord - ipvsadm -ln shows:
> TCP X.X.X.167:80 wrr persistent 900
> -> Y.Y.Y.105:80 Masq 2 0 0
> TCP X.X.X.167:443 wrr persistent 900
> -> Y.Y.Y.105:443 Masq 2 0 0
>
> with X.X.X.167 being my public ip, and Y.Y.Y.105 being the internal one.
>
> Iptables is enabled and output is like this:
> [root [at] lb ~]# iptables -L -n
> Chain INPUT (policy DROP)
> target prot opt source destination
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW
> tcp dpt:22
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
> ACCEPT tcp -- B.B.B.162 0.0.0.0/0 state NEW tcp
> dpt:8080
> REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with
> icmp-host-prohibited
>
> Chain FORWARD (policy DROP)
> target prot opt source destination
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW
> tcp dpt:80
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW
> tcp dpt:443
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED
> REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with
> icmp-host-prohibited
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
> [root [at] lb ~]# iptables -L -n -t nat
> Chain PREROUTING (policy ACCEPT)
> target prot opt source destination
>
> Chain POSTROUTING (policy ACCEPT)
> target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
--
Regards,
Klavs Klavsen, GSEC - kl [at] vsen - http://www.vsen.dk - Tlf. 61281200
"Those who do not understand Unix are condemned to reinvent it, poorly."
--Henry Spencer
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/
LinuxVirtualServer.org mailing list - lvs-users [at] LinuxVirtualServer
Send requests to lvs-users-request [at] LinuxVirtualServer
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
|
