LVS-NAT and packets originating from realserver
mack.joseph at epa.gov
Wed Aug 25 17:30:45 BST 2004
Francois JEANMOUGIN wrote:
> C. R. Oldham :
> > Joe :
> > > Let's say you can figure out how to do this...
> > >
> > > The replies coming from the machine on the internet will have
> > > dst_addr=VIP.
> > > The director will see the packets and since they aren't part
> > > of an established
> > > connection, they will be dropped.
> > You can do this with policy-based routing in the 2.6 series of kernels.
> > On my Debian realservers I have this in the /etc/networks/interfaces
> > file:
> Well, well, I have a pretty more failsafe setup, finally. I just had time one
> hour ago to try it. The answer is: "Just use SNAT" :
> /sbin/iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to $VIP
> It is pretty simple. The VIP does not have to be up on the system, the rule
> stays there unemployed. In case of a director switch, even if vrrp add the
> VIP as a secondary (or alias) interface, the outgoing packets will have the
> VIP as the source address.
how does the reply from the machine on the internet get back to the realserver
that initiated the connection?
Joseph Mack PhD, High Performance Computing & Scientific Visualization
LMIT, Supporting the EPA Research Triangle Park, NC 919-541-0007
Federal Contact - John B. Smith 919-541-1087 - smith.johnb at epa.gov
More information about the lvs-users