Interesting Setup?

Jacco van Koll jko at haringstad.com
Sat Aug 6 11:36:00 BST 2005


Hello all,

Whilst playing with a linux virtual server setup, i ran into some 
problems. I use the following setup:

I have 3 boxes, which are all connected to the public network, but also 
to a private segment.


Like this:
-----------------------------------------------------------------------------------public 
net (82.94.229.128/25)
                                      |                  |              |
                                      |       loadbalancer    |
                                      |                 /\              |
                                      |                /  \             |
                                      |               /    \            |
                                      |              /      \           |
                                  server 1- - -        - - - server 2

The connections between the loadbalancer and the real servers is done by 
a vlan part on a switch, with 172.16.125.0/24 addresses.

I would like to have the following setup:

1. All webtraffic (http/https) must be handled by the loadbalancer
2. All ssh traffic must be performed directly to the real servers
3. Optional, i must have the possibility for handling certain protocols 
by the real servers, like DNS, or, if there is the need, by the 
loadbalancer. (like pop3 for example)

Whenever i add the default route on the real servers to the 
82.94.229.129 gateway, nothting happens when connecting to the 
loadbalancer port 80. When i change the default route to the private ip 
on the loadbalancer, it works, but the real servers cannot be connected 
trough ssh.

I am fighting this issue for about a month now, and tried all info i 
already found with search engines, howto's and mailinglists, and i am 
still puzzled. Can anyone help me out here?

The following script is now running on the loadbalancer:

#!/bin/bash
#
# From the LVS site:
# To make the load balancer forward the masquerading packets
# echo 1 > /proc/sys/net/ipv4/ip_forward
# ipchains -A forward -j MASQ -s 172.16.0.0/24 -d 0.0.0.0/0
#
# Add virtual service and link a scheduler to it
#
#    ipvsadm -A -t 202.103.106.5:80 -s wlc  (Weighted Least-Connection 
scheduling)
#    ipvsadm -A -t 202.103.106.5:21 -s wrr  (Weighted Round Robing 
scheduling )
#
# Add real server and select forwarding method
#
#    ipvsadm -a -t 202.103.106.5:80 -r 172.16.0.2:80 -m
#    ipvsadm -a -t 202.103.106.5:80 -r 172.16.0.3:8000 -m -w 2
#    ipvsadm -a -t 203.103.106.5:21 -r 172.16.0.2:21 -m

PATH="/usr/sbin:/sbin:${PATH}"
export PATH

log() {
  echo "$1"
    test -x "$LOGGER" && $LOGGER -p info "$1"
    }

LSMOD=`which lsmod`
MODPROBE=`which modprobe`
IPTABLES=`which iptables`
IP=`which ip`
LOGGER=`which logger`
IPVSADM=`which ipvsadm`

echo -n "Initialized programs: "
echo -n "$LSMOD "
echo -n "$MODPROBE "
echo -n "$IPTABLES "
echo -n "$IP "
echo -n "$LOGGER "
echo -n "$IPVSADM "

if $IP link ls >/dev/null 2>&1; then
  echo;
  else
  echo "iproute not found"
  exit 1
fi


INTERFACES="eth0 eth1 lo "
    for i in $INTERFACES ; do
    $IP link show "$i" > /dev/null 2>&1 || {
    log "Interface $i does not exist"
    exit 1
}
done


# First make the stuff go forward
        echo -n "Enable ip forwarding: "
        echo 1 > /proc/sys/net/ipv4/ip_forward
        echo "Done"

# Now make the NAT work (MASQUERADE)
        echo -n "Enable Masquerade: "
        $IPTABLES -t nat -A POSTROUTING -o eth0 -s 172.16.125.0/24 -j 
MASQUERADE
        echo "Done"
# Now make portforwarding work (DNAT)
        echo -n "Enable portforwards (DNAT PORT 81 and 82): "
        echo -n "server 1 "
        $IPTABLES -t nat -A PREROUTING  -p tcp -d 82.94.229.135 --dport 
81 -j DNAT --to-destination 172.16.125.2:80
        echo -n "server 2 "
        $IPTABLES -t nat -A PREROUTING  -p tcp -d 82.94.229.135 --dport 
82 -j DNAT --to-destination 172.16.125.3:80
        echo "Done...."
        echo -n "Enable portforwards (DNAT PORT 6001 and 6002): "
        echo -n "server 1 "
        $IPTABLES -t nat -A PREROUTING  -p tcp -d 82.94.229.135 --dport 
6001 -j DNAT --to-destination 172.16.125.2:443
        echo -n "server 2 "
        $IPTABLES -t nat -A PREROUTING  -p tcp -d 82.94.229.135 --dport 
6002 -j DNAT --to-destination 172.16.125.3:443
        echo "Done...."


# Now make the public side know which ports
        echo -n "Enable LB Known ports: "
        $IPVSADM -A -t 82.94.229.135:80 -s wrr
        $IPVSADM -A -t 82.94.229.135:443 -s wrr
        echo "Added ports 80 and 443"

# Now make the rules to servers
        echo -n "Loadbalancing to servers port 80: "
        $IPVSADM -a -t 82.94.229.135:80 -r 172.16.125.2 -m
        $IPVSADM -a -t 82.94.229.135:80 -r 172.16.125.3 -m -w 2
        echo "Added servers 1 and 2"
        echo -n "Loadbalancing to servers port 443: "
        $IPVSADM -a -t 82.94.229.135:443 -r 172.16.125.2 -m
        $IPVSADM -a -t 82.94.229.135:443 -r 172.16.125.3 -m -w 2
        echo "Added servers 1 and 2 both http and https"

-- 
Regards,

J. van Koll



More information about the lvs-users mailing list