BTW, We also have problem with web - sometimes we are getting Err 503, according to sniff - NAT is interrupted by balancer and packages sent to the client are incomplete and sessions are interrupted on TCP level. After service iptables stop - everything works fine.
On Fri, Sep 24, 2010 at 8:34 PM, George Machitidze <[email protected]> wrote: > Guten tag Michael! :) > > So, what we have and where is the problem: > > We've got LVS-NAT balancer (hostname "lba1a") with two real interfaces and > it is running postfix on localhost, let's take example globally-available > *VIP* 123.123.123.123 on one of interfaces, here is what we have when > iptables is on: > > > [r...@lba1a ~]# telnet 123.123.123.123 25 > > Trying 123.123.123.123... > > telnet: connect to address 77.92.229.53: Connection timed out > > [r...@lba1a ~]# telnet 123.123.123.123 25 > > Trying 123.123.123.123... > > Connected to 123.123.123.123. > > Escape character is '^]'. > > 220 123.123.123.123 ESMTP test server > > ^] > > telnet> Connection closed. > > [r...@lba1a ~]# telnet 123.123.123.123 25 > > Trying 123.123.123.123... > > telnet: connect to address 123.123.123.123: Connection timed out > > [r...@lba1a ~]# telnet 123.123.123.123 25 > > Trying 123.123.123.123... > > > this VIP in our case is eth0:1, FC13 x86-64, had same with FC11, FC12 > > [r...@lba1a ~]# iptables -L -n > > Chain INPUT (policy ACCEPT) > > target prot opt source destination > > ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 > > ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state > RELATED,ESTABLISHED > > ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 > state NEW > > ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 > state NEW > > ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 > state NEW > > ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 helper match > "ftp" > > ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 > > ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3128 > state NEW > > ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:123 > > ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 > state NEW > > ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 > state NEW > > ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp > dpt:3636 > > ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp > dpt:10000 > > REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with > icmp-port-unreachable > > > Chain FORWARD (policy ACCEPT) > > target prot opt source destination > > > Chain OUTPUT (policy ACCEPT) > > target prot opt source destination > > > [r...@lba1a ~]# iptables -L -n -t mangle > > Chain PREROUTING (policy ACCEPT) > > target prot opt source destination > > MARK tcp -- 0.0.0.0/0 123.123.123.123 tcp dpt:21 > MARK set 0x15 > > MARK tcp -- 0.0.0.0/0 123.123.123.123 tcp > dpts:1024:65535 MARK set 0x15 > > > Chain INPUT (policy ACCEPT) > > target prot opt source destination > > > Chain FORWARD (policy ACCEPT) > > target prot opt source destination > > > Chain OUTPUT (policy ACCEPT) > > target prot opt source destination > > > Chain POSTROUTING (policy ACCEPT) > > target prot opt source destination > > > > [r...@lba1a ~]# iptables -L -n -t nat > > Chain PREROUTING (policy ACCEPT) > > target prot opt source destination > > > Chain POSTROUTING (policy ACCEPT) > > target prot opt source destination > > ACCEPT all -- 10.1.0.0/24 10.1.0.0/24 > > MASQUERADE all -- 10.1.0.0/24 0.0.0.0/0 > > > Chain OUTPUT (policy ACCEPT) > > target prot opt source destination > > > [r...@lba1a ~]# ipvsadm --list -n > IP Virtual Server version 1.2.1 (size=4096) > Prot LocalAddress:Port Scheduler Flags > -> RemoteAddress:Port Forward Weight ActiveConn InActConn > TCP 123.123.123.123:25 wlc persistent 3600 > -> 127.0.0.1:25 Local 50 0 1 > TCP 12.123.123.123:80 wlc persistent 3600 > -> 10.1.0.3:80 Masq 50 37 319 > -> 10.1.0.5:80 Masq 50 39 120 > FWM 21 wlc > -> 10.1.0.3:21 Masq 10 0 1 > -> 10.1.0.5:21 Masq 10 0 0 > -> 127.0.0.1:21 Local 10 0 0 > > > We tried with LVS redirect to localhost and without... Postfix is working > fine, there must be a problem somewhere at iptables/lvs > > On Sun, Sep 19, 2010 at 5:37 PM, Michael Schwartzkopff < > [email protected]> wrote: > >> On Sunday 19 September 2010 13:56:00 თემური დოღონაძე wrote: >> > Hi. >> > >> > We have cluster with 2 routers and 3 nodes, running webserver on it. >> > mailserver is 1st router itself >> > Problem is, that we cannot connect to SMTP server via IPVS virtual IP >> from >> > inside of router in 90% of tries. >> > if iptables are down, all goes smooth, we can connect freely. but if >> it's >> > up, its possible to connect though, but 1 times from 20 try or so >> > postfix is logging something like: >> > >> > lost connection after CONNECT from domain.com.local[127.0.0.1] >> > >> > any suggestions? >> >> Gamarjoobath, >> >> Configs? Logs? >> >> Greetings, >> >> -- >> Dr. Michael Schwartzkopff >> Guardinistr. 63 >> 81375 München >> >> Tel: (0163) 172 50 98 >> >> _______________________________________________ >> Please read the documentation before posting - it's available at: >> http://www.linuxvirtualserver.org/ >> >> LinuxVirtualServer.org mailing list - [email protected] >> Send requests to [email protected] >> or go to http://lists.graemef.net/mailman/listinfo/lvs-users > > > > > -- > Best regards, > George Machitidze > -- Best regards, George Machitidze _______________________________________________ Please read the documentation before posting - it's available at: http://www.linuxvirtualserver.org/ LinuxVirtualServer.org mailing list - [email protected] Send requests to [email protected] or go to http://lists.graemef.net/mailman/listinfo/lvs-users
