Liu, Yes, David is right it is working as expected Full-NAT i.e. source IP transparent. If you want the real servers/backend servers to have Internet access as well then you will need an iptables masquerade rule or something similar for the outgoing traffic.
LVS Half-Nat or SNAT is in mainline kernel, the old way of patching is described here: http://blog.loadbalancer.org/enabling-snat-in-lvs-xt_ipvs-and-iptables/ But to be honest if you want SNAT/proxy you'd be better off using HAProxy which is well tested for that purpose... On 26 July 2012 18:23, David Coulson <[email protected]> wrote: > > > On 7/26/12 12:40 PM, Liu, William wrote: > > Hi, > > > > I am a problem with LVS NAT configuration where the packets do not look > > like they are being masqueraded by LVS. Here's my setup: > > > > LVS server has 3 interfaces: primary, nat_router, virtual IP > > 172.5.111.74 -primary > > 172.25.117.4 - nat router > > 172.25.117.5 - virtual IP, port 80 > > |---- 172.28.12.56 (Real server) > > > > A client (172.25.111.8) connects to 172.25.117.5 on port 80 never gets a > > response back. What I see on Real sever (172.28.12.56) on tcpdump is : > > 16:35:08.103968 IP 172.25.111.8.34271 > 172.28.12.56.http: S > > 1718115488:1718115488(0) win 5840 <mss 1460,sackOK,timestamp 500867550 > > 0,nop,wscale 7> > > > > This shows source IP of the client and NOT from LVS. I presume in NAT > > mode, the source IP should be of the "nat router?" From my understanding > > LVS should have done the header masquerading? I shouldn't have to use > > IPtables? Please let me know what I have to do for this function to work? > > There is a SNAT patch for LVS out on the Internet somewhere, but it is > not supported by RedHat. With RHEL, none of the three (DR,NAT, TUN) > mechanisms modify the source IP of the packets. > > If you use LVS-NAT, you need to make sure the real server routes the > packet back through the LVS director so the 'un-NAT' can happen > correctly before the request goes back to the client. > > David > > > _______________________________________________ > Please read the documentation before posting - it's available at: > http://www.linuxvirtualserver.org/ > > LinuxVirtualServer.org mailing list - [email protected] > Send requests to [email protected] > or go to http://lists.graemef.net/mailman/listinfo/lvs-users -- Regards, Malcolm Turnbull. Loadbalancer.org Ltd. Phone: +44 (0)870 443 8779 http://www.loadbalancer.org/ _______________________________________________ Please read the documentation before posting - it's available at: http://www.linuxvirtualserver.org/ LinuxVirtualServer.org mailing list - [email protected] Send requests to [email protected] or go to http://lists.graemef.net/mailman/listinfo/lvs-users
