[lvs-users] Transparent proxy with Locanode

David Hinkle hinkle at cipafilter.com
Mon Dec 10 16:37:50 GMT 2007 

Ok, I just found this document:
http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-HOWTO.filter_rules.html

I think I understand the problem more clearly now.

The PREROUTING table comes before the LVS hooks in the LOCAL_IN table so I cannot determine at PREROUTING time that packets are going to go to the localnode or not.

So at this time, I guess I have two possible courses of action?  Try and find a way for local_node to work without a REDIRECT rule in the PREROUTING table.  Perhaps LVS can do the REDIRECT?  

Or is it possible for LVS to "undo" whatever munging is happening in the PREROUTING table?  I don't even understand while a REDIRECT rule in the PREROUTING table is breaking LVS.  

I guess I'll research some more, if anybody has a workaround for using localnode with transparent proxy please let me know.

David


-----Original Message-----
From: lvs-users-bounces at linuxvirtualserver.org on behalf of David Hinkle
Sent: Mon 12/10/2007 10:06 AM
To: lvs-users at linuxvirtualserver.org
Subject: [lvs-users] Transparent proxy with Locanode
 
Hey everybody.  I'm using the ip policy hack to get transparent proxy going like this:

ip rule add prio 100 fwmark 1 table 100
ip route add local 0/0 dev lo table 100

That redirects packets that I've marked with fwmark 1 into the "local" machine so that lvs will see them.

This is all working, I can distribute incomming connections to realservers, however, I run into problems when I try to use the localnode feature.

If I have 
/sbin/iptables -t nat -A PREROUTING -p tcp -s 10.0.0.1/8 --dport 80 -j REDIRECT --to-port 8080
in my PREROUTING table so that the local machine can intercept, connections routed to the local node work and connections routed to the other peers fail, if I delete the rule connections to the local node fail and connections to the remote hosts work.

Any ideas?  Can I tell the connections apart in iptables so that I can create a rule to skip the redirect for packets leaving for other realservers?  Can I get lvs to bypass PREROUTING for packets going out?

David

_______________________________________________
LinuxVirtualServer.org mailing list - lvs-users at LinuxVirtualServer.org
Send requests to lvs-users-request at LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

Search lvs-users Archives
Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
More information about the lvs-users mailing list