Jacoby, iptables will work on a different physical server, but does not work on the director node this is due to the way that LVS interacts with netfilter.
More discussion here.... http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-HOWTO.rewrite_ports.html If you need port re-direction you could use HAProxy instead (but its not transparent). On 17 January 2014 18:54, Jacoby Hickerson <hickerso...@gmail.com> wrote: > Thanks Malcolm for the response. That is how it is setup, the real server > is the same as the director node for one of the nodes. Even if connecting > to only the primary node while all others are offline it does not work. > > I noticed that if I use xinetd forwarding it works, but that's not what I > want to use. I wonder why iptables wouldn't be able to work, if there is a > method using iptables that'd be great. > > Jacoby > > > On Thu, Jan 16, 2014 at 11:41 PM, Malcolm Turnbull <malc...@loadbalancer.org >> wrote: > >> Jacoby, >> >> You could put the iptables rules on each real server instead? (which >> would do the same trick.) >> LVS is on the INPUT chain so its very hard to use iptables rules like >> this on the director node. >> Their may be a way, I just don't know of it. >> >> >> >> On 17 January 2014 01:27, Jacoby Hickerson <hickerso...@gmail.com> wrote: >> > I've searched Google and this mailing list but haven't quite seen the >> same >> > configuration and/or setup as mine. >> > >> > The ldirectord documentation states that port mapping on the same server >> > where the director resides is not possible other than masq, however it >> says >> > "non-fwmark". My setup is using fwmark, however, when trying to port map >> > from port 80 to another port, the client connection hangs. Here are the >> > exact details of my setup: >> > >> > The VIP is on the same box as the director and RIP 172.17.0.16. This >> setup >> > works fine when no port mapping is being done, but I need to move the >> port >> > to something higher than 1024. >> > >> > virtual=172.17.0.24:80 >> > real=172.17.0.16:50000 gate 100 >> > real=172.17.0.17:50000 gate 100 >> > service=http >> > scheduler=rr >> > protocol=tcp >> > checktype=connect >> > fwmark=100 >> > >> > iptables: >> > iptables -t mangle -A PREROUTING -d 172.17.0.24/32 ! -i lo -p tcp -m tcp >> > --dport 80 -j MARK --set-xmark 0x64/0xffffffff >> > iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT >> > --to-ports 50000 >> > iptables -t nat -A OUTPUT -o lo -p tcp -m tcp --dport 80 -j REDIRECT >> > --to-ports 50000 >> > >> > Issue: >> > curl -v 'http://172.17.0.24' >> > * About to connect() to 172.17.0.24 port 80 (#0) >> > * Trying 172.17.0.24... >> > >> > 00:41:44.503581 IP 172.17.0.2.46099 > 172.17.0.24.80: Flags [S], seq >> > 1066084928, win 14600, options [mss 1460,sackOK,TS val 2520815062 ecr >> > 0,nop,wscale 7], length 0 >> > 00:41:44.503581 IP 172.17.0.2.46099 > 172.17.0.24.80: Flags [S], seq >> > 1066084928, win 14600, options [mss 1460,sackOK,TS val 2520815062 ecr >> > 0,nop,wscale 7], length 0 >> > 00:41:44.503658 IP 172.17.0.16.50000 > 172.17.0.2.46099: Flags [S.], seq >> > 824291086, ack 1066084929, win 14480, options [mss 1460,sackOK,TS val >> > 9521949 ecr 2520815062,nop,wscale 7], length 0 >> > 00:41:44.503663 IP 172.17.0.16.50000 > 172.17.0.2.46099: Flags [S.], seq >> > 824291086, ack 1066084929, win 14480, options [mss 1460,sackOK,TS val >> > 9521949 ecr 2520815062,nop,wscale 7], length 0 >> > >> > So the problem I'm having is that the source ip is not being translated >> by >> > iptables but sent via lvs as the RIP. Is there a kernel option, iptables >> > option or ipvsadm option that would allow it to change it back to the >> VIP? >> > >> > Any help would be very appreciated! >> > >> > Jacoby >> > _______________________________________________ >> > Please read the documentation before posting - it's available at: >> > http://www.linuxvirtualserver.org/ >> > >> > LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org >> > Send requests to lvs-users-requ...@linuxvirtualserver.org >> > or go to http://lists.graemef.net/mailman/listinfo/lvs-users >> >> >> >> -- >> Regards, >> >> Malcolm Turnbull. >> >> Loadbalancer.org Ltd. >> Phone: +44 (0)870 443 8779 >> http://www.loadbalancer.org/ >> >> _______________________________________________ >> Please read the documentation before posting - it's available at: >> http://www.linuxvirtualserver.org/ >> >> LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org >> Send requests to lvs-users-requ...@linuxvirtualserver.org >> or go to http://lists.graemef.net/mailman/listinfo/lvs-users >> > _______________________________________________ > Please read the documentation before posting - it's available at: > http://www.linuxvirtualserver.org/ > > LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org > Send requests to lvs-users-requ...@linuxvirtualserver.org > or go to http://lists.graemef.net/mailman/listinfo/lvs-users -- Regards, Malcolm Turnbull. Loadbalancer.org Ltd. Phone: +44 (0)870 443 8779 http://www.loadbalancer.org/ _______________________________________________ Please read the documentation before posting - it's available at: http://www.linuxvirtualserver.org/ LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org Send requests to lvs-users-requ...@linuxvirtualserver.org or go to http://lists.graemef.net/mailman/listinfo/lvs-users
