Hello All, After having a look in iptables, I am able to solve this issue.
added following line in iptables iptables -t mangle -A OUTPUT -s 192.168.20.10 -p tcp -j DIVERT thanks much, Regards, -Abdul Jaleel On Mon, Nov 16, 2015 at 3:31 PM, jaleel <abduljal...@gmail.com> wrote: > Hello All, > > Need help regarding the iptables > > For the packet coming from network, I set the iptables as following > > iptables -t mangle -N DIVERT > iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT > iptables -t mangle -A DIVERT -j MARK --set-mark 1 > iptables -t mangle -A DIVERT -j ACCEPT > > ip rule add fwmark 1 lookup 100 > ip route add local 0.0.0.0/0 dev lo table 100 > > For the packet generated locally, I think I need to set the mangle table > in OUTPUT chain so that HAProxy will capture locally generated packet as > well. > > how do I create the OUPUT chain mangle table? > > Regards, > -Abdul jaleel K > > On Fri, Nov 13, 2015 at 1:12 PM, Aleksandar Lazic <al-hapr...@none.at> > wrote: > >> Hi. >> >> But do you really think this is a haproxy Problem? >> >> Am 13-11-2015 08:38, schrieb Aleksandar Lazic: >> >>> Am 13-11-2015 06:14, schrieb jaleel: >>> >>>> It works if HAProxy and backend are in different box, but when both are >>>> in same box it didn't work >>>> >>> >>> Maybe because the iptables rule is a different from 'localhost' then >>> from external. >>> >>> Please take a look at the picture >>> >>> >>> https://ixquick-proxy.com/do/spg/show_picture.pl?l=english&rais=1&oiu=http%3A%2F%2Ferlerobotics.gitbooks.io%2Ferle-robotics-introduction-to-linux-networking%2Fcontent%2Fsecurity%2Fimg9%2Fiptables.gif&sp=5ac7f7d4aa8327c04f456b9db2362108 >>> >> >> or this one >> >> http://inai.de/images/nf-packet-flow.png >> >> from this site >> >> >> http://serverfault.com/questions/345111/iptables-target-to-route-packet-to-specific-interface >> >> >> and the document for this Picture. >>> >>> >>> https://erlerobotics.gitbooks.io/erle-robotics-introduction-to-linux-networking/content/security/introduction_to_iptables.html >>> >>> I think you should add some lines into the postrouting table >>> >>> BR Aleks >>> >>> On Fri, Nov 13, 2015 at 1:56 AM, Igor Cicimov >>>> <ig...@encompasscorporation.com> wrote: >>>> >>>> On 13/11/2015 1:04 AM, "jaleel" <abduljal...@gmail.com> wrote: >>>>> >>>>>> >>>>>> Hello, >>>>>> >>>>>> I am trying to setup the following for deployment >>>>>> >>>>>> I have 2 servers. >>>>>> server1: eth0:10.200.2.211 (255.255.252.0) >>>>>> eth1: 192.168.10.10 (255.255.255.0) >>>>>> server2: eth0: 10.200.2.242 (255.255.252.0) >>>>>> eth1: 192.168.20.10 (255.255.255.0) >>>>>> >>>>>> VRRP between server1 and server2 eth0. VRIP is 10.200.3.84 >>>>>> >>>>>> >>>>>> my haproxy config: >>>>>> -------------------------- >>>>>> listen ingress_traffic 10.200.3.84:7000 [1] >>>>>> mode tcp >>>>>> source 0.0.0.0 usesrc clientip >>>>>> balance roundrobin >>>>>> server server1 192.168.10.10:9001 [2] >>>>>> server server2 192.168.20.10:9001 [3] >>>>>> >>>>>> Iptables: >>>>>> ----------- >>>>>> iptables -t mangle -N DIVERT >>>>>> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT >>>>>> iptables -t mangle -A DIVERT -j MARK --set-mark 1 >>>>>> iptables -t mangle -A DIVERT -j ACCEPT >>>>>> >>>>>> ip rule add fwmark 1 lookup 100 >>>>>> ip route add local 0.0.0.0/0 [4] dev lo table 100 >>>>>> >>>>>> >>>>>> Now 10.200.2.211 is the master and owns VRIP 10.200.3.84 >>>>>> >>>>>> When traffic comes to 10.200.3.84:7000 [1], the routing to server2 >>>>>> >>>>> is successful and end-to-end communication is fine. But the response >>>>> from server1 (192.168.10.10:9001 [2]) is not reaching HAProxy. >>>>> >>>>>> >>>>>> I cannot have 3rd box for HAProxy alone. >>>>>> >>>>>> Any suggestions >>>>>> >>>>>> Thank you >>>>>> -Abdul Jaleel >>>>>> >>>>>> >>>>>> The backends need to have haproxy set as gateway. >>>>> >>>> >>>> >>>> >>>> Links: >>>> ------ >>>> [1] http://10.200.3.84:7000 >>>> [2] http://192.168.10.10:9001 >>>> [3] http://192.168.20.10:9001 >>>> [4] http://0.0.0.0/0 >>>> >>> >
