[lvs-users] keepalived Nat problem 2 arm failover

Sharif Uddin sharif at shopto.net
Tue Jun 7 16:07:12 BST 2011


> Hi,
>
>
> I have a strange problem and I can't seem to find clear information on
> how to do this .
>
>
> I have 2 loadbalancer set up keepalived NAT mode with 2 interfaces each
>
>
> internal vip - 192.168.0.199
> external vip - 195.x.x.21
>
> lb1 -master
> bond0 - private - 192.168.0.239
> eth5 - public - 195.x.x.41
>
>
> lb1 -slave
> bond0 - private - 192.168.0.238
> eth5 - public - 195.x.x.42
>
>
>
>
> results of  watch -n 0.5 ipvsadm -ln
>
>
> Every 0.5s: ipvsadm
> -ln
> Tue Jun  7 14:15:25 2011
>
> IP Virtual Server version 1.2.1 (size=4096)
> Prot LocalAddress:Port Scheduler Flags
>     ->  RemoteAddress:Port           Forward Weight ActiveConn InActConn
> TCP  192.168.0.198:3306 wrr
>     ->  192.168.0.239:4041           Local   1      0          0
> TCP  192.168.0.199:80 rr
>     ->  192.168.0.235:80             Masq    1      0          0
>     ->  192.168.0.236:80             Masq    1      0          0
>     ->  192.168.0.237:80             Masq    1      0          0
> TCP  192.168.0.199:443 rr
>     ->  192.168.0.235:443            Masq    1      0          0
>     ->  192.168.0.236:443            Masq    1      0          0
>     ->  192.168.0.237:443            Masq    1      0          0
>
>
>
>
> i can seem to nat incoming connections from external ip to internal ip.
> i have managed to allow outgoing from cluster to public using
>
>
>       iptables -t nat -A POSTROUTING -o eth5 -j MASQUERADE
>
>
> or
>
>       iptables -t nat -A POSTROUTING ! -d 192.168.0.1/24 -j SNAT --to
> 195.x.x.21
>
>
>
> I have tried this:
>
>       iptables -t nat -A PREROUTING --dst 195.x.x.21 -p tcp --dport 80 -j
> DNAT --to-destination 192.168.0.235
>
> which works but directs traffic to 1 server on in the cluster, but if i
> try the internal vip i get nothing
>
>
>       iptables -t nat -A PREROUTING --dst 195.x.x.21 -p tcp --dport 80 -j
> DNAT --to-destination 192.168.0.199
>
>
>
>
> when i test with wget from any lan pc i get following error in syslog
>
>       Jun  7 14:11:30 lb1 kernel: [ 6845.854613] ip_rt_bug:
> 217.35.126.204 ->  192.168.0.199, eth5
>
>
> Can anyone help?
>
>
>
>
>
>
>
>
> _______________________________________________
> Please read the documentation before posting - it's available at:
> http://www.linuxvirtualserver.org/
>
> LinuxVirtualServer.org mailing list - lvs-users at LinuxVirtualServer.org
> Send requests to lvs-users-request at LinuxVirtualServer.org
> or go to http://lists.graemef.net/mailman/listinfo/lvs-users


I have tried the following


  iptables -t nat -A PREROUTING --dst 195.x.x.21 -p tcp --dport 80  -j  
LOG --log-level warn --log-prefix "INPUT port80-"
  iptables -t nat -A PREROUTING -i eth5  --dst 195.x.x.21 -p tcp --dport 
80 -j DNAT --to-destination 192.168.0.199:80

iptables -t nat -A POSTROUTING ! -d 192.168.0.1/24 -j LOG --log-level 
warn --log-prefix "OUT port80-"
  iptables -t nat -A PREROUTING --dst 195.x.x.21 -p tcp --dport 80 -j 
DNAT --to-destination 192.168.0.199:80




and in my /var/log/messages i see the following when trying to acces the 
inetrnal vip either through telnetting to public vip or netcat or wget 
or in browser

Jun  7 16:04:20 lb1 kernel: [13615.643902] INPUT port80-IN=eth5 OUT= 
MAC=60:eb:69:dc:17:ab:ec:c8:82:e4:ee:01:08:00 SRC=217.35.126.204 
DST=195.x.x.21 LEN=60 TOS=0x00 PREC=0x00 TTL=53 ID=35908 DF PROTO=TCP 
SPT=38764 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0


Jun  7 16:00:44 lb1 kernel: [13399.730256] OUT port80-IN= OUT=eth5 
SRC=192.168.0.237 DST=74.201.14.5 LEN=60 TOS=0x00 PREC=0x00 TTL=63 
ID=58040 DF PROTO=TCP SPT=35769 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0





These are the same messages i get when i use a phisycial server in the 
iptables rules such as 192.168.0.237 instead of the vip.









More information about the lvs-users mailing list