[lvs-users] Packets Not Reaching Real Server

Malcolm Turnbull malcolm at loadbalancer.org
Mon Nov 21 19:49:03 GMT 2016


Nick,

AWS is a good place to use a one arm nat configuration (because all
the clients are usually remote)

As long as the real server has the default gateway set as the load
balancer it should be fine?




On 21 November 2016 at 19:13, Nick Leli <nicholasleli at gmail.com> wrote:
> Thanks Malcom.  So in this scenario, the client is in a different subnet;
> it's coming from the public Internet.  I am looking for the easiest route
> to get something running so any logical recommendations are greatly
> appreciated.  Here is the current topology:
>
>                                       my laptop, connected to public
> internet
>                                                     |
>                                                     |
>                                                     |
>                                                     V
>                                         LVS host in AWS with public IP
>                                                     |
>                                                     |
>                                                     |
>                                                     V
>                                         Real server in AWS within same
> VPC/subnet
>
> What routing rules are needed on the backend server to get this to at least
> work in this simple setup.  Are iptables rules still required to masquerade
> on eth0 or do you need to permanently change the routes?
>
> On Mon, Nov 21, 2016 at 10:53 AM, Malcolm Turnbull <malcolm at loadbalancer.org
>> wrote:
>
>> Usually for MASQ/NAT mode the real server would be in a different
>> subnet with the LVS server set as the default gateway.
>>
>> If you want to do one-arm i.e. same subnet MASQ then the test client
>> needs to be in a separate subnet OR you need to have special routing
>> rules on the real (backend) server.
>>
>>
>>
>>
>>
>> On 21 November 2016 at 18:26, Nick Leli <nicholasleli at gmail.com> wrote:
>> > Hi Everyone,
>> >
>> > I am trying to learn LVS and have created the setup below (better
>> > formatting at Server Fault http://serverfault.com/
>> questions/816026/lvs-load-
>> > balancer-not-getting-response).  The LVS setup seems correct, but it
>> > appears that the connections never make it to the real server, even
>> though
>> > traffic is being sent from the director.  I am under the impression that
>> no
>> > iptables rules are required since the real server is added with
>> > masquerade.  Is this incorrect?  I have read through the HOWTO multiple
>> > times but am not clear on what is needed.
>> >
>> > **Director Host**
>> >
>> > root at ip-172-31-16-196:/home/ubuntu# cat  /proc/sys/net/ipv4/ip_forward
>> > 1
>> >
>> > root at ip-172-31-16-196:/home/ubuntu# ifconfig
>> >     eth0      Link encap:Ethernet  HWaddr 06:a0:5b:48:1b:f5
>> >               inet addr:172.31.16.196  Bcast:172.31.31.255
>> >  Mask:255.255.240.0
>> >               inet6 addr: fe80::4a0:5bff:fe48:1bf5/64 Scope:Link
>> >               UP BROADCAST RUNNING MULTICAST  MTU:9001  Metric:1
>> >               RX packets:4211 errors:0 dropped:0 overruns:0 frame:0
>> >               TX packets:3692 errors:0 dropped:0 overruns:0 carrier:0
>> >               collisions:0 txqueuelen:1000
>> >               RX bytes:416625 (416.6 KB)  TX bytes:406446 (406.4 KB)
>> >
>> >     lo        Link encap:Local Loopback
>> >               inet addr:127.0.0.1  Mask:255.0.0.0
>> >               inet6 addr: ::1/128 Scope:Host
>> >               UP LOOPBACK RUNNING  MTU:65536  Metric:1
>> >               RX packets:173 errors:0 dropped:0 overruns:0 frame:0
>> >               TX packets:173 errors:0 dropped:0 overruns:0 carrier:0
>> >               collisions:0 txqueuelen:1
>> >               RX bytes:12776 (12.7 KB)  TX bytes:12776 (12.7 KB)
>> >
>> > root at ip-172-31-16-196:/home/ubuntu# ipvsadm -Ln
>> > IP Virtual Server version 1.2.1 (size=4096)
>> > Prot LocalAddress:Port Scheduler Flags
>> >   -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
>> > TCP  172.31.16.196:80 rr
>> >   -> 172.31.16.195:80             Masq    1      0          0
>> >
>> > root at ip-172-31-16-196:/home/ubuntu# ipvsadm -Ln --stats
>> > IP Virtual Server version 1.2.1 (size=4096)
>> > Prot LocalAddress:Port               Conns   InPkts  OutPkts  InBytes
>> > OutBytes
>> >   -> RemoteAddress:Port
>> > TCP  172.31.16.196:80                   23      122        0     6436
>> >  0
>> >   -> 172.31.16.195:80                   23      122        0     6436
>> >  0
>> >
>> > root at ip-172-31-16-196:/home/ubuntu# curl 172.31.16.195-vv
>> > * Rebuilt URL to: 172.31.16.195/
>> > *   Trying 172.31.16.195...
>> > * Connected to 172.31.16.195 (172.31.16.195) port 80 (#0)
>> >> GET / HTTP/1.1
>> >> Host: 172.31.16.195
>> >> User-Agent: curl/7.47.0
>> >> Accept: */*
>> >>
>> > * HTTP 1.0, assume close after body
>> > < HTTP/1.0 200 OK
>> > < Server: SimpleHTTP/0.6 Python/2.7.12
>> > < Date: Mon, 21 Nov 2016 04:59:04 GMT
>> > < Content-type: text/html
>> > < Content-Length: 26
>> > < Last-Modified: Mon, 21 Nov 2016 00:58:21 GMT
>> > <
>> > >From server 172.31.16.195
>> > * Closing connection 0
>> >
>> > # Show the public IP of this host
>> > root at ip-172-31-16-196:/home/ubuntu# wget http://ipinfo.io/ip -qO -
>> > 52.15.105.107
>> >
>> > **Backend Server**
>> >
>> > root at ip-172-31-16-195:/home/ubuntu# netstat -tnlp
>> > Active Internet connections (only servers)
>> > Proto Recv-Q Send-Q Local Address           Foreign Address         State
>> >     PID/Program name
>> > tcp        0      0 0.0.0.0:80              0.0.0.0:*
>>  LISTEN
>> >      2444/python
>> > tcp        0      0 0.0.0.0:22              0.0.0.0:*
>>  LISTEN
>> >      1221/sshd
>> > tcp6       0      0 :::22                   :::*
>> LISTEN
>> >      1221/sshd
>> >
>> > root at ip-172-31-16-195:/home/ubuntu# iptables -L -t nat
>> > Chain PREROUTING (policy ACCEPT)
>> > target     prot opt source               destination
>> >
>> > Chain INPUT (policy ACCEPT)
>> > target     prot opt source               destination
>> >
>> > Chain OUTPUT (policy ACCEPT)
>> > target     prot opt source               destination
>> >
>> > Chain POSTROUTING (policy ACCEPT)
>> > target     prot opt source               destination
>> > >From Remote Client
>> >
>> > # Hitting the public IP
>> > $ curl -vvv http://52.15.105.107/
>> > *   Trying 52.15.105.107...
>> > * Connected to 52.15.105.107 (127.0.0.1) port 80 (#0)
>> >> GET / HTTP/1.1
>> >> Host: 52.15.105.107
>> >> User-Agent: curl/7.43.0
>> >> Accept: */*
>> >>
>> > < HTTP/1.1 504 Gateway Time-out
>> > < Server: ScanSafe
>> > < Mime-Version: 1.0
>> > < Date: Mon, 21 Nov 2016 05:40:50 GMT
>> > < Content-Type: text/html
>> > < Content-Length: 1664
>> > < X-ScanSafe-Error: ERR_CONNECT_FAIL 110
>> > < Keep-Alive: 60
>> > < Via: HTTP/1.1 proxy10829
>> > _______________________________________________
>> > Please read the documentation before posting - it's available at:
>> > http://www.linuxvirtualserver.org/
>> >
>> > LinuxVirtualServer.org mailing list - lvs-users at LinuxVirtualServer.org
>> > Send requests to lvs-users-request at LinuxVirtualServer.org
>> > or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>>
>>
>>
>> --
>> Regards,
>>
>> Malcolm Turnbull.
>>
>> Loadbalancer.org Ltd.
>> Phone: +44 (0)330 380 1064
>> http://www.loadbalancer.org/
>>
>> _______________________________________________
>> Please read the documentation before posting - it's available at:
>> http://www.linuxvirtualserver.org/
>>
>> LinuxVirtualServer.org mailing list - lvs-users at LinuxVirtualServer.org
>> Send requests to lvs-users-request at LinuxVirtualServer.org
>> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>>
> _______________________________________________
> Please read the documentation before posting - it's available at:
> http://www.linuxvirtualserver.org/
>
> LinuxVirtualServer.org mailing list - lvs-users at LinuxVirtualServer.org
> Send requests to lvs-users-request at LinuxVirtualServer.org
> or go to http://lists.graemef.net/mailman/listinfo/lvs-users



-- 
Regards,

Malcolm Turnbull.

Loadbalancer.org Ltd.
Phone: +44 (0)330 380 1064
http://www.loadbalancer.org/



More information about the lvs-users mailing list