Hi, It can be done on LVS-NAT. I had to turn off my blog for a short while but it will be back up soon. Here's the google cached page: http://webcache.googleusercontent.com/search?q=cache:a56hmlO2YpoJ:mobiuscircle.com/+mobius+circle+lvs&cd=1&hl=en&ct=clnk&gl=us
My work is largely inspired by Jonathan and Karen’s blog post here: http://developingrapids.blogspot.com/2006/05/conning-mark-multiwan-connections.html Long story short: - use your management/ssh network as the default route, use your normal default gateway, NOT the director (contrary to the standard docs) - use IPTables and FWMarks to tag packets, and reply via the appropriate route based on the inbound connection route Method: The assumption is that you have 2 internal VLANs, one for “management” traffic and one for LVS traffic. I’ll call those: InternalNet 192.168.1.x LVSNet 192.168.2.x The LVS director is 192.168.2.100 Steps: On realservers: - Use your normal default gateway for your network, NOT the LVS Director, eg: 192.168.1.1 - Use mangle table prerouting firewall marks to mark any LVS traffic to fwmark 2 - Use mangle table prerouting firewall marks to mark any non-LVS traffic to fwmark 1 (may be redundant) - Use ip rules to direct any traffic received with fwmark 2 via the LVSNet table (192.168.2.100 gateway) - Use ip rules to direct any traffic received on 192.168.2.x via the LVSNet table (192.168.2.100 gateway - may be redundant) - Use ip rules to direct any traffic received with fwmark 1 via the InternalNet table (192.168.1.1 gateway - may be redundant to the default route) - Use ip rules to direct any traffic received on 192.168.1.x via the InternalNet table (192.168.1.1 gateway - may be redundant) Detailed Steps: Configuration: =========== 1) Add two tables to your /etc/iproute2/rt_tables 200 InternalNet 201 LVSNet 2) Set your default gateway to 192.168.1.1 (/etc/sysconfig/network) GATEWAY=192.168.1.1 3) In your iptables mangle table (for real server 192.168.1.112), add the following. In different realservers, replace the IP address 192.168.1.112 with that of the current real server: -A PREROUTING -j CONNMARK –restore-mark -A PREROUTING -m mark –mark 0×1 -j ACCEPT -A PREROUTING -d 192.168.1.112 -j MARK –set-mark 0×1 -A PREROUTING -m mark –mark 0×2 -j ACCEPT -A PREROUTING -d 192.168.2.112 -j MARK –set-mark 0×2 -A PREROUTING -j CONNMARK –save-mark 4) Setup IP routes and rules (for each real server you change the IP address in the rules below to that of the real server IPs) routes: /etc/sysconfig/network- scripts/route-eth1: default table InternalNet via 192.168.1.1 default table LVSNet via 192.168.2.100 rules: /etc/sysconfig/network-scripts/rule-eth1 from 192.168.1.112 table InternalNet from 192.168.2.112 table LVSNet fwmark 1 lookup InternalNet fwmark 2 lookup LVSNet —— DONE —- Net result is that LVS-NAT based inbound connections route back out through the LVS Director appropriately, even though your default gateway is on 192.168.1.1. All other real server requests route through your normal LAN default gateway. If that outbound request is to one of your LVS VIPs (real server as client), the connection goes via your normal LAN to the front end of the LVS director, and the reply comes back the same path. Cheers, James _______________________________________________ Please read the documentation before posting - it's available at: http://www.linuxvirtualserver.org/ LinuxVirtualServer.org mailing list - [email protected] Send requests to [email protected] or go to http://lists.graemef.net/mailman/listinfo/lvs-users
