LVS-NAT and packets originating from realserver

Joseph Mack mack.joseph at epa.gov
Wed Aug 25 17:30:45 BST 2004


Francois JEANMOUGIN wrote:
> 
> C. R. Oldham :
> 
> > Joe :
> > > Let's say you can figure out how to do this...
> > >
> > > The replies coming from the machine on the internet will have
> > > dst_addr=VIP.
> > > The director will see the packets and since they aren't part
> > > of an established
> > > connection, they will be dropped.
> >
> >
> > You can do this with policy-based routing in the 2.6 series of kernels.
> > On my Debian realservers I have this in the /etc/networks/interfaces
> > file:
> 
> Well, well, I have a pretty more failsafe setup, finally. I just had time one
> hour ago to try it. The answer is: "Just use SNAT" :
> 
> /sbin/iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to $VIP
> 
> It is pretty simple. The VIP does not have to be up on the system, the rule
> stays there unemployed. In case of a director switch, even if vrrp add the
> VIP as a secondary (or alias) interface, the outgoing packets will have the
> VIP as the source address.

how does the reply from the machine on the internet get back to the realserver
that initiated the connection?

Joe
-- 
Joseph Mack PhD, High Performance Computing & Scientific Visualization
LMIT, Supporting the EPA Research Triangle Park, NC 919-541-0007
Federal Contact - John B. Smith 919-541-1087 - smith.johnb at epa.gov


More information about the lvs-users mailing list