Thanks Michael Is this applicable for our LVS server if we are trying to connect *to the* *VIP of this LVS server* *from* the *LVS server* itself and there will be no need to change our rules, just an upgrade of kernel?
Where can we find the patch for kernel? I don't see any changes in mainline *2.6.36-rc6 :(* Currently we use kernel-2.6.34.7-56.fc13.x86_64 (Fedora) with generic patches, we can ask Fedora to include them as fix before 3.6.36 will be included (probably FC14, ~1 month left) On Wed, Sep 29, 2010 at 7:33 PM, Michael Schwartzkopff < [email protected]> wrote: > On Friday 24 September 2010 18:34:23 you wrote: > > Guten tag Michael! :) > > > > So, what we have and where is the problem: > > > > We've got LVS-NAT balancer (hostname "lba1a") with two real interfaces > and > > it is running postfix on localhost, let's take example globally-available > * > > VIP* 123.123.123.123 on one of interfaces, here is what we have when > > iptables is on: > > > > > > [r...@lba1a ~]# telnet 123.123.123.123 25 > > > > Trying 123.123.123.123... > > > > telnet: connect to address 77.92.229.53: Connection timed out > > > > [r...@lba1a ~]# telnet 123.123.123.123 25 > > > > Trying 123.123.123.123... > > > > Connected to 123.123.123.123. > > > > Escape character is '^]'. > > > > 220 123.123.123.123 ESMTP test server > > > > ^] > > > > telnet> Connection closed. > > > > [r...@lba1a ~]# telnet 123.123.123.123 25 > > > > Trying 123.123.123.123... > > > > telnet: connect to address 123.123.123.123: Connection timed out > > > > [r...@lba1a ~]# telnet 123.123.123.123 25 > > > > Trying 123.123.123.123... > > > > > > this VIP in our case is eth0:1, FC13 x86-64, had same with FC11, FC12 > > > > [r...@lba1a ~]# iptables -L -n > > > > Chain INPUT (policy ACCEPT) > > > > target prot opt source destination > > > > ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 > > > > ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state > > RELATED,ESTABLISHED > > > > ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 > > state NEW > > > > ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 > > state NEW > > > > ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 > > state NEW > > > > ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 helper > match > > "ftp" > > > > ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 > > > > ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp > dpt:3128 > > state NEW > > > > ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:123 > > > > ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 > > state NEW > > > > ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 > > state NEW > > > > ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW > tcp > > dpt:3636 > > > > ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW > tcp > > dpt:10000 > > > > REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with > > icmp-port-unreachable > > > > > > Chain FORWARD (policy ACCEPT) > > > > target prot opt source destination > > > > > > Chain OUTPUT (policy ACCEPT) > > > > target prot opt source destination > > > > > > [r...@lba1a ~]# iptables -L -n -t mangle > > > > Chain PREROUTING (policy ACCEPT) > > > > target prot opt source destination > > > > MARK tcp -- 0.0.0.0/0 123.123.123.123 tcp > dpt:21 > > MARK set 0x15 > > > > MARK tcp -- 0.0.0.0/0 123.123.123.123 tcp > > dpts:1024:65535 MARK set 0x15 > > > > > > Chain INPUT (policy ACCEPT) > > > > target prot opt source destination > > > > > > Chain FORWARD (policy ACCEPT) > > > > target prot opt source destination > > > > > > Chain OUTPUT (policy ACCEPT) > > > > target prot opt source destination > > > > > > Chain POSTROUTING (policy ACCEPT) > > > > target prot opt source destination > > > > > > > > [r...@lba1a ~]# iptables -L -n -t nat > > > > Chain PREROUTING (policy ACCEPT) > > > > target prot opt source destination > > > > > > Chain POSTROUTING (policy ACCEPT) > > > > target prot opt source destination > > > > ACCEPT all -- 10.1.0.0/24 10.1.0.0/24 > > > > MASQUERADE all -- 10.1.0.0/24 0.0.0.0/0 > > > > > > Chain OUTPUT (policy ACCEPT) > > > > target prot opt source destination > > > > > > [r...@lba1a ~]# ipvsadm --list -n > > IP Virtual Server version 1.2.1 (size=4096) > > Prot LocalAddress:Port Scheduler Flags > > -> RemoteAddress:Port Forward Weight ActiveConn InActConn > > TCP 123.123.123.123:25 wlc persistent 3600 > > -> 127.0.0.1:25 Local 50 0 1 > > TCP 12.123.123.123:80 wlc persistent 3600 > > -> 10.1.0.3:80 Masq 50 37 319 > > -> 10.1.0.5:80 Masq 50 39 120 > > FWM 21 wlc > > -> 10.1.0.3:21 Masq 10 0 1 > > -> 10.1.0.5:21 Masq 10 0 0 > > -> 127.0.0.1:21 Local 10 0 0 > > > > > > We tried with LVS redirect to localhost and without... Postfix is working > > fine, there must be a problem somewhere at iptables/lvs > > Hi, > > there is a problem with netfilter NAT interfering with ipvs NAT. This > Problem > was only solved recently. So for now DO NOT mix both NATs. > > See: > http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-HOWTO.non- > modified_realservers.html > > This feature is only implemented in kernle 2.6.36. So please be patient. > Sorry. > > Greetings to Tbilisi! > > > -- > Dr. Michael Schwartzkopff > Guardinistr. 63 > 81375 München > > Tel: (0163) 172 50 98 > -- Best regards, George Machitidze _______________________________________________ Please read the documentation before posting - it's available at: http://www.linuxvirtualserver.org/ LinuxVirtualServer.org mailing list - [email protected] Send requests to [email protected] or go to http://lists.graemef.net/mailman/listinfo/lvs-users
