Problem with IP-takeover

Ordway, Ryan Ryan.Ordway at oregonstate.edu
Tue Jan 30 23:07:11 GMT 2007 

Is anyone using LVS + hearbeat + ldirectord + iptables with SNAT/DNAT?
I'm trying to allow "direct" access to the real servers via one public
IP separate from the virtual IP that would "bypass" LVS, and then the
load balanced virtual IP for LVS to load balance between the real
servers.

For example:

192.168.1.1   - LVS director #1
192.168.1.2   - LVS director #2
192.168.1.3   - "direct" IP for web1
192.168.1.4   - "direct" IP for web2
192.168.1.100 - load balanced IP for web1/web2

10.0.0.1      - LVS director #1 (internal)
10.0.0.2      - LVS director #2 (internal)
10.0.0.3      - internal IP for web1
10.0.0.4      - internal IP for web2
10.0.0.254    - load balanced default gateway IP for director1/director2


The direct system access works great, but I need an iptables rule to
handle the SNAT/DNAT exception of the load balanced IP.

I have rules like:

iptables -A nat PREROUTING -d 192.168.1.3 -I eth1 -j DNAT
--to-destination 10.0.0.3

and

iptables -A nat POSTROUTING -s 10.0.0.3 ! -d 10.0.0/24 -j SNAT
--to-source 192.168.1.3

But then, of course when I get a connection on 192.168.1.100, the
director sends the packets to the real server, the real server shoots
back its response, but the POSTROUTING rule rewrites the source to the
"direct" IP, 192.168.1.3 instead of the load balanced IP. I just haven't
figured out a simple way to change the SNAT address depending on the
source of the initial communication, the virtual IP.

It's probably just a simple iptables rule, but it's evading me....

TIA,

Ryan

--
Ryan Ordway               Unix Systems Administrator
OSU Libraries             E-mail: ryan.ordway at oregonstate.edu

Search lvs-users Archives
Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
More information about the lvs-users mailing list