SNAT Confusion

Rodre Ghorashi-Zadeh rodrico7 at hotmail.com
Sat Mar 17 01:39:05 GMT 2007 

Hello,

I have been able to get the "Janusz" patch to work on Fedora 
2.6.19-1.2288.2.4.fc5, but it looks like my problem still isn't solved. It 
looks like this may be the time to explain my setup and requirement:

I am in the situation where my real servers are clients of the VIP, and have 
the potential to loop back via the director onto themselves. It is not a 
problem if:

realserver1 RIP -> Director VIP -> realserver2 RIP

or:

realserver2 RIP -> Director VIP -> realserver1 RIP

but both:

realserver1 RIP -> Director VIP -> realserver1 RIP

and:

realserver2 RIP -> Director VIP -> realserver2 RIP

fail miserably. This is where i was hoping the SNAT patch would help with a 
rule like:

iptables -t nat -A POSTROUTING -s realserverip1 -d realserver1 -j SNAT 
--to-source directorip

I can see the traffic being SNAT-ed and hitting the realserver and being 
sent back but then packet trail just seemed to drop off. I figure it is 
because the kernel on the director is probably looking at the source address 
of the reply packet, which matches the VIP ip that is on the director, and 
is saying "hey, I didn't send this!" and is dropping the packet. What am I 
not seeing here? What am I missing? What I guess I need here is the so 
called f5 style SNAT? How can I achieve what I need to do?

~Rodre

>From: Janusz Krzysztofik <jkrzyszt at tis.icnet.pl>
>To: "LinuxVirtualServer.org users mailing list." 
><lvs-users at LinuxVirtualServer.org>
>CC: rodrico7 at hotmail.com
>Subject: Re: SNAT Confusion
>Date: Fri, 16 Mar 2007 12:19:45 +0100
>
>Rodre Ghorashi-Zadeh napisa³(a):
>>I am totally confused about the whole SNAT, snat_reroute, NFCT, etc. I 
>>have downloaded Julian's NFCT patch for my kernel (centos 4.4 
>>2.6.9-42.0.10.ELsmp), patched/built/installed the kernel, echoed 1 > 
>>/proc/sys/net/ipv4/vs/conntrack & and snat_reroute, wrote an iptables rule 
>>that looks like this: iptables -t nat -A POSTROUTING -p tcp -s $MYIP -d 
>>$RIP --dport $SOMEPORT -j SNAT --to-source $DEFAULTGATE, sent the 
>>appropriate traffic that should get caught and manipulated by the previous 
>>rule, experienced no results ...
>
>Exactly as I was before. Then I reread all Julian's writings on this matter 
>and understood that saying SNAT he meant changing RIP source address back 
>to VIP on packets traversing LVS-NAT director back to clients (OUT 
>direction).
>
>>... does the patch provided by Janusz Krzysztofik at 
>>http://www.icnet.pl/download/ip_vs_dr-conntrack.patch allow you to at 
>>least do an iptables style SNAT to LVS-DR type packets?
>
>Yes, exactly, and not only SNAT, but full conntrack as well. But please 
>remember, this is my own solution, not supported by LVS people in any way, 
>and not yet commented by them, so it may stop working for future versions 
>of IPVS.
>
>Julian, Joe, Horms, maybe others, could you please share your opinions on 
>this matter?
>
>Thanks,
>Janusz
>

_________________________________________________________________
Your Space. Your Friends. Your Stories. Share your world with Windows Live 
Spaces. http://spaces.live.com/?mkt=en-ca

Search lvs-users Archives
Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
More information about the lvs-users mailing list