LVS-NAT + SNAT is it impossible?

Paulo F. Andrade pfca at mega.ist.utl.pt
Tue Jul 11 17:23:05 BST 2006 

That's not quite what i'm looking for.
What I want is the following:
- for inbound connections i want packets with CIP->VIP translate to  
DIP->RIP
- for outbound connections (the responses from the real servers)  
packets with RIP->DIP translate to VIP->CIP

LVS-NAT only does DNAT, meaning CIP->VIP changes to CIP->RIP and the  
response from RIP->CIP to VIP->CIP.
The problem is that after LVS changes the VIP to RIP for inbound  
connections, it seems that packets don't traverse the POSTROUTING  
chain to get SNAT'ed.

Is there a workaround for this?

Paulo F. Andrade 52439 at IST
mailto: pfca at mega.ist.utl.pt


On 2006/07/11, at 16:58, Chris Newland wrote:

> Hi Paulo,
>
> I use LVS-NAT and SNAT by using the following iptales rule:
>
> iptables -t nat -A POSTROUTING \
> -s 10.0.0.0/255.255.255.0 -o eth0 \
> -j SNAT \
> --to-source x.x.x.x <public IP of your director>
>
> My realservers only have non-routable IP addresses (10.0.0.*)
>
> The realservers can all connect to servers on the internet and when  
> they do,
> the IP source address is that of the director.
>
> Is this what you are looking for?
>
> Regards,
>
> Chris
>
> -----Original Message-----
> From: lvs-users-bounces at LinuxVirtualServer.org
> [mailto:lvs-users-bounces at LinuxVirtualServer.org] On Behalf Of  
> Paulo F.
> Andrade
> Sent: 11 July 2006 15:55
> To: lvs-users at LinuxVirtualServer.org
> Subject: LVS-NAT + SNAT is it impossible?
>
> Hi,
>
> I'm currently testing some solution on load balancing servers on a
> different network than the directors.
> The obvious solution would be to use LVS-TUN, but I can't change the
> routes on the router in the real servers network to accept packets
> with source VIP. A solution to this would be to tunnel back the
> packets to the director, but then I have the martian packets  
> problem...
>
> No wanting to path the kernel, I came up with this solution:
> - put secondary addresses of type 192.168.0.xxx on the real servers.
> - use LVS-NAT to balance connections to those ip addresses
> - construct a two way tunnel (using iproute2) based on the
> destination ip addresses
>
> Surprisingly this works, but it's a little to complex for my liking :)
>
> A better and simpler solution would be to use LVS-NAT and then SNAT
> in the POSTROUTING, but according to numerous sources (LVS HOWTO,
> this mailling lists archive...) this is not possible because LVS-
> NAT'ed packets don't traverse the POSTROUTING chain.
>
> Is it impossible to SNAT packets in an LVS-NAT setup?
>
> PS: I also found this on the LVS HOWTO (http://www.austintek.com/LVS/
> LVS-HOWTO/HOWTO/LVS-HOWTO.LVS-NAT.html#lvs_net_extending):
>
> "Tao Zhao taozhao (at) cs (dot) nyu (dot) edu 01 May 2002 LVS-NAT
> assumes that all servers are behind the director, so the director
> only need to change the destination IP when a request comes in and
> forward that to the scheduled realserver. When the reply packets go
> through the director it will change the source IP. This limits the
> deployment of LVS using NAT: the director must be the outgoing
> gateway for all servers.
> I am wondering if I can change the code so that both source and
> destinamtion IPs are changed in both ways. For example, CIP: client
> IP; DIP: director IP; SIP: server IP (public IPs);
>
> Client->Director->Server: address pair (CIP, DIP) is changed to (DIP,
> SIP)
> Server->Director->Client: address pair (SIP, DIP) is changed to (DIP,
> CIP).
>
>
> Lars
>
> Not very efficient; but this can actually already be done by using
> the port-forwarding feature AFAIK, or by a userspace application
> level gateway. "
>
> How does port forwarding enables me to do this? And userspace
> application is he talking about?
>
> Thank you for your time and sorry for the long e-mail!
>
> Paulo F. Andrade 52439 at IST
> mailto: pfca at mega.ist.utl.pt
>
>
> _______________________________________________
> LinuxVirtualServer.org mailing list - lvs-users at LinuxVirtualServer.org
> Send requests to lvs-users-request at LinuxVirtualServer.org
> or go to http://www.in-addr.de/mailman/listinfo/lvs-users
>
>
>
> _______________________________________________
> LinuxVirtualServer.org mailing list - lvs-users at LinuxVirtualServer.org
> Send requests to lvs-users-request at LinuxVirtualServer.org
> or go to http://www.in-addr.de/mailman/listinfo/lvs-users

Search lvs-users Archives
Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
More information about the lvs-users mailing list