> Hi, > > > I have a strange problem and I can't seem to find clear information on > how to do this . > > > I have 2 loadbalancer set up keepalived NAT mode with 2 interfaces each > > > internal vip - 192.168.0.199 > external vip - 195.x.x.21 > > lb1 -master > bond0 - private - 192.168.0.239 > eth5 - public - 195.x.x.41 > > > lb1 -slave > bond0 - private - 192.168.0.238 > eth5 - public - 195.x.x.42 > > > > > results of watch -n 0.5 ipvsadm -ln > > > Every 0.5s: ipvsadm > -ln > Tue Jun 7 14:15:25 2011 > > IP Virtual Server version 1.2.1 (size=4096) > Prot LocalAddress:Port Scheduler Flags > -> RemoteAddress:Port Forward Weight ActiveConn InActConn > TCP 192.168.0.198:3306 wrr > -> 192.168.0.239:4041 Local 1 0 0 > TCP 192.168.0.199:80 rr > -> 192.168.0.235:80 Masq 1 0 0 > -> 192.168.0.236:80 Masq 1 0 0 > -> 192.168.0.237:80 Masq 1 0 0 > TCP 192.168.0.199:443 rr > -> 192.168.0.235:443 Masq 1 0 0 > -> 192.168.0.236:443 Masq 1 0 0 > -> 192.168.0.237:443 Masq 1 0 0 > > > > > i can seem to nat incoming connections from external ip to internal ip. > i have managed to allow outgoing from cluster to public using > > > iptables -t nat -A POSTROUTING -o eth5 -j MASQUERADE > > > or > > iptables -t nat -A POSTROUTING ! -d 192.168.0.1/24 -j SNAT --to > 195.x.x.21 > > > > I have tried this: > > iptables -t nat -A PREROUTING --dst 195.x.x.21 -p tcp --dport 80 -j > DNAT --to-destination 192.168.0.235 > > which works but directs traffic to 1 server on in the cluster, but if i > try the internal vip i get nothing > > > iptables -t nat -A PREROUTING --dst 195.x.x.21 -p tcp --dport 80 -j > DNAT --to-destination 192.168.0.199 > > > > > when i test with wget from any lan pc i get following error in syslog > > Jun 7 14:11:30 lb1 kernel: [ 6845.854613] ip_rt_bug: > 217.35.126.204 -> 192.168.0.199, eth5 > > > Can anyone help? > > > > > > > > > _______________________________________________ > Please read the documentation before posting - it's available at: > http://www.linuxvirtualserver.org/ > > LinuxVirtualServer.org mailing list - [email protected] > Send requests to [email protected] > or go to http://lists.graemef.net/mailman/listinfo/lvs-users
I have tried the following iptables -t nat -A PREROUTING --dst 195.x.x.21 -p tcp --dport 80 -j LOG --log-level warn --log-prefix "INPUT port80-" iptables -t nat -A PREROUTING -i eth5 --dst 195.x.x.21 -p tcp --dport 80 -j DNAT --to-destination 192.168.0.199:80 iptables -t nat -A POSTROUTING ! -d 192.168.0.1/24 -j LOG --log-level warn --log-prefix "OUT port80-" iptables -t nat -A PREROUTING --dst 195.x.x.21 -p tcp --dport 80 -j DNAT --to-destination 192.168.0.199:80 and in my /var/log/messages i see the following when trying to acces the inetrnal vip either through telnetting to public vip or netcat or wget or in browser Jun 7 16:04:20 lb1 kernel: [13615.643902] INPUT port80-IN=eth5 OUT= MAC=60:eb:69:dc:17:ab:ec:c8:82:e4:ee:01:08:00 SRC=217.35.126.204 DST=195.x.x.21 LEN=60 TOS=0x00 PREC=0x00 TTL=53 ID=35908 DF PROTO=TCP SPT=38764 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 Jun 7 16:00:44 lb1 kernel: [13399.730256] OUT port80-IN= OUT=eth5 SRC=192.168.0.237 DST=74.201.14.5 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=58040 DF PROTO=TCP SPT=35769 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 These are the same messages i get when i use a phisycial server in the iptables rules such as 192.168.0.237 instead of the vip. _______________________________________________ Please read the documentation before posting - it's available at: http://www.linuxvirtualserver.org/ LinuxVirtualServer.org mailing list - [email protected] Send requests to [email protected] or go to http://lists.graemef.net/mailman/listinfo/lvs-users
