Port redirection in LVS Localnode

Roberto Nibali ratz at drugphish.ch
Tue Jul 20 06:11:21 BST 2004

Good day,

[please try to wrap your overly long lines in your emails next time]

>     I have a configuration with only two machines that act both as directors and real servers (Localnode)
>     With a Localnode configuration I alredy heard that you can´t make port redirection/rewrite independently 
>     off the forwarding method (DR, TUN or NAT)


>     I need port redirection because I want to offer
> a Virtual HTTP Service on port 80, and map this service
> to two real servers running Tomcat on port 8080 with
> an unprivileged account.


>     Because LVS can´t do redirection, I tried with a
> iptables DNAT rule in the PREROUTING CHAIN.
>         iptables -t nat -A PREROUTING -p tcp -d VIP --dport 80 \
 >                  -j DNAT --to VIP:8080
>     This rule functions well for the traffic that is
> mapped to the local real server, but the traffic that
> goes to the other real server returns with source port

If I understand you correctly, the other RS is a physically different 
machine, right?

> 8080 to client (which causes a Reset of TCP connection
> by client) I probed this configuration with LVS/NAT 
> and LVS/DR with forward_shared (source martians) patch.

You need someone to do a port mapping for you on your back-path ;).

> Is it possible to do port redirection in a Localnode environment?

[First idea I had which probably doesn't work]
I don't know but what you could try is to add two rules:

[Internet] ----> eth0[director/node1]eth1 -----> eth0[node2]

Two DNAT rules:

iptables -t nat -A PREROUTING -i eth0 -p tcp -d $VIP --dport 80 \
                 -j DNAT --to $VIP:8080
iptables -t nat -A POSTROUTING -i eth0 -p tcp -d $CIP -s $RIP \
                  --sport 8080 -j SNAT --to-source $IP_of_eth0:80

The "problem" is that netfilter maintains a template table which is used 
to lookup the n-tuple corresponding to your initial connection attempt 
which was port-redirected. Of course the source port of the outgoing 
packet is then not known which gives you little to know option of back 
mapping the port.

What you could do is have a tcp forwarding tool on a local socket on 
node2 which redirects traffic to the local socket on port 8080. There 
are other possibilities, however I'm not sure if I understand your 
current setup correctly.

HTH and best regards,
Roberto Nibali, ratz

More information about the lvs-users mailing list