Y.Y.Y.105 is not the IP of the LVS server internal interface ofcourse - it's the ip of the backendserver.
Klavs Klavsen said the following on 08/13/2012 01:20 PM: > Hi, > > I've setup a server, with public IPs (currently only one though) on one > interface, and an internal ip on another interface - where the backend > webservers are hosted. > > My problem is that I see the request package (going to X.X.X.167 port > 80) go through to the backend fine (the Syn package) and I see the > backend (which has the LVS server as default gw) response when I tcpdump > on the internal interface of the LVS server. > > The response however, is newer relayed on the LVS servers external > interface :( > > I hope you can help me debug, or suggest things I could do, to debug. > > My setup is as follows: > > I've setup ipvs in kernel, using ldirectord - ipvsadm -ln shows: > TCP X.X.X.167:80 wrr persistent 900 > -> Y.Y.Y.105:80 Masq 2 0 0 > TCP X.X.X.167:443 wrr persistent 900 > -> Y.Y.Y.105:443 Masq 2 0 0 > > with X.X.X.167 being my public ip, and Y.Y.Y.105 being the internal one. > > Iptables is enabled and output is like this: > [root@lb1 ~]# iptables -L -n > Chain INPUT (policy DROP) > target prot opt source destination > ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state > RELATED,ESTABLISHED > ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 > ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 > ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW > tcp dpt:22 > ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 > ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 > ACCEPT tcp -- B.B.B.162 0.0.0.0/0 state NEW tcp > dpt:8080 > REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with > icmp-host-prohibited > > Chain FORWARD (policy DROP) > target prot opt source destination > ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW > tcp dpt:80 > ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW > tcp dpt:443 > ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state > RELATED,ESTABLISHED > REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with > icmp-host-prohibited > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > > [root@lb1 ~]# iptables -L -n -t nat > Chain PREROUTING (policy ACCEPT) > target prot opt source destination > > Chain POSTROUTING (policy ACCEPT) > target prot opt source destination > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > -- Regards, Klavs Klavsen, GSEC - [email protected] - http://www.vsen.dk - Tlf. 61281200 "Those who do not understand Unix are condemned to reinvent it, poorly." --Henry Spencer _______________________________________________ Please read the documentation before posting - it's available at: http://www.linuxvirtualserver.org/ LinuxVirtualServer.org mailing list - [email protected] Send requests to [email protected] or go to http://lists.graemef.net/mailman/listinfo/lvs-users
