Hi Dmitry Nice to see you pop up here (I was the CGP person at Loughborough Uni).
On Fri, 2012-01-06 at 11:15 +0400, Dmitry Akindinov wrote: > Is there any way to redirect a packet without modification to a > different server (substituting the taget MAC), > using just the iptables module? Or is there a way to manage LVS director > connection tables for this purpose: directing the tcp connection > response packets to the proper real server? As Julian suggested, probably the easiest way to do this is to use fwmarks. On the director, have an iptables rule (or rules) matching ports 80,443 and so on which sets a MARK value of (say) 0x1. Then have a virtual server setup to catch traffic with mark value 0x1 to forward to the ten realservers (using the examples from the man page for clarity and ease of reproduction, your usage may vary with how you're managing the VS): ipvsadm -A -f 1 -s rr ipvsadm -a -f 1 -r [RIP1] -g ... ipvsadm -a -f 1 -r [RIP10] -g Also on the director, have an iptables rule using the multiport module which matches each realserver's port range, something like this: iptables -I INPUT -p tcp --m multiport -d VIP1 --destination-ports 16000:16999 -j MARK --set-mark 0x101 and then create a virtual service to match that to forward to the first realserver: ipvsadm -A -f 101 -s rr ipvsadm -a -f 101 -r [RIP1] -g Rinse and repeat for all server/port ranges. As Julian also points out, be wary of this overloading the director. I'd be very interested to know what you're scaling out with this approach! Regards, Graeme _______________________________________________ Please read the documentation before posting - it's available at: http://www.linuxvirtualserver.org/ LinuxVirtualServer.org mailing list - [email protected] Send requests to [email protected] or go to http://lists.graemef.net/mailman/listinfo/lvs-users
