[lvs-users] lvs masq response package not getting picked up

Klavs Klavsen kl at vsen.dk
Mon Aug 13 12:26:32 BST 2012 

Y.Y.Y.105 is not the IP of the LVS server internal interface ofcourse - 
it's the ip of the backendserver.

Klavs Klavsen said the following on 08/13/2012 01:20 PM:
> Hi,
>
> I've setup a server, with public IPs (currently only one though) on one
> interface, and an internal ip on another interface - where the backend
> webservers are hosted.
>
> My problem is that I see the request package (going to X.X.X.167 port
> 80) go through to the backend fine (the Syn package) and I see the
> backend (which has the LVS server as default gw) response when I tcpdump
> on the internal interface of the LVS server.
>
> The response however, is newer relayed on the LVS servers external
> interface :(
>
> I hope you can help me debug, or suggest things I could do, to debug.
>
> My setup is as follows:
>
> I've setup ipvs in kernel, using ldirectord - ipvsadm -ln shows:
> TCP  X.X.X.167:80 wrr persistent 900
>     -> Y.Y.Y.105:80            Masq    2      0          0
> TCP  X.X.X.167:443 wrr persistent 900
>     -> Y.Y.Y.105:443           Masq    2      0          0
>
> with X.X.X.167 being my public ip, and Y.Y.Y.105 being the internal one.
>
> Iptables is enabled and output is like this:
> [root at lb1 ~]# iptables -L -n
> Chain INPUT (policy DROP)
> target     prot opt source               destination
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state
> RELATED,ESTABLISHED
> ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW
> tcp dpt:22
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:443
> ACCEPT     tcp  --  B.B.B.162       0.0.0.0/0           state NEW tcp
> dpt:8080
> REJECT     all  --  0.0.0.0/0            0.0.0.0/0 reject-with
> icmp-host-prohibited
>
> Chain FORWARD (policy DROP)
> target     prot opt source               destination
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW
> tcp dpt:80
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW
> tcp dpt:443
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state
> RELATED,ESTABLISHED
> REJECT     all  --  0.0.0.0/0            0.0.0.0/0 reject-with
> icmp-host-prohibited
>
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
>
> [root at lb1 ~]# iptables -L -n -t nat
> Chain PREROUTING (policy ACCEPT)
> target     prot opt source               destination
>
> Chain POSTROUTING (policy ACCEPT)
> target     prot opt source               destination
>
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
>


-- 
Regards,
Klavs Klavsen, GSEC - kl at vsen.dk - http://www.vsen.dk - Tlf. 61281200

"Those who do not understand Unix are condemned to reinvent it, poorly."
   --Henry Spencer

More information about the lvs-users mailing list