Problems with LVS+heartbeat+ldirectord+iptables w/ SNAT/DNAT

Ordway, Ryan Ryan.Ordway at oregonstate.edu
Tue Jan 30 23:20:56 GMT 2007 

Whoops, forgot to change the subject. Sorry for the re-post.

> -----Original Message-----
> From: lvs-users-bounces at LinuxVirtualServer.org [mailto:lvs-users-
> bounces at LinuxVirtualServer.org] On Behalf Of Ordway, Ryan
> Sent: Tuesday, January 30, 2007 3:07 PM
> To: LinuxVirtualServer.org users mailing list.
> Subject: RE: Problem with IP-takeover
> 
> 
> Is anyone using LVS + hearbeat + ldirectord + iptables with SNAT/DNAT?
> I'm trying to allow "direct" access to the real servers via one public
> IP separate from the virtual IP that would "bypass" LVS, and then the
> load balanced virtual IP for LVS to load balance between the real
> servers.
> 
> For example:
> 
> 192.168.1.1   - LVS director #1
> 192.168.1.2   - LVS director #2
> 192.168.1.3   - "direct" IP for web1
> 192.168.1.4   - "direct" IP for web2
> 192.168.1.100 - load balanced IP for web1/web2
> 
> 10.0.0.1      - LVS director #1 (internal)
> 10.0.0.2      - LVS director #2 (internal)
> 10.0.0.3      - internal IP for web1
> 10.0.0.4      - internal IP for web2
> 10.0.0.254    - load balanced default gateway IP for
director1/director2
> 
> 
> The direct system access works great, but I need an iptables rule to
> handle the SNAT/DNAT exception of the load balanced IP.
> 
> I have rules like:
> 
> iptables -A nat PREROUTING -d 192.168.1.3 -I eth1 -j DNAT
> --to-destination 10.0.0.3
> 
> and
> 
> iptables -A nat POSTROUTING -s 10.0.0.3 ! -d 10.0.0/24 -j SNAT
> --to-source 192.168.1.3
> 
> But then, of course when I get a connection on 192.168.1.100, the
> director sends the packets to the real server, the real server shoots
> back its response, but the POSTROUTING rule rewrites the source to the
> "direct" IP, 192.168.1.3 instead of the load balanced IP. I just
haven't
> figured out a simple way to change the SNAT address depending on the
> source of the initial communication, the virtual IP.
> 
> It's probably just a simple iptables rule, but it's evading me....
> 
> TIA,
> 
> Ryan
> 
> --
> Ryan Ordway               Unix Systems Administrator
> OSU Libraries             E-mail: ryan.ordway at oregonstate.edu

Search lvs-users Archives
Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
More information about the lvs-users mailing list