Re: HAProxy and backend on the same box

2015-11-16 Thread jaleel
Hello All,

After having a look in iptables, I am able to solve this issue.

added following line in iptables

iptables -t mangle -A OUTPUT -s 192.168.20.10 -p tcp  -j DIVERT

thanks much,

Regards,
-Abdul Jaleel

On Mon, Nov 16, 2015 at 3:31 PM, jaleel <abduljal...@gmail.com> wrote:

> Hello All,
>
> Need help regarding the iptables
>
> For the packet coming from network, I set the iptables as following
>
> iptables -t mangle -N DIVERT
> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
> iptables -t mangle -A DIVERT -j MARK --set-mark 1
> iptables -t mangle -A DIVERT -j ACCEPT
>
> ip rule add fwmark 1 lookup 100
> ip route add local 0.0.0.0/0 dev lo table 100
>
> For the packet generated locally, I think I need to set the mangle table
> in OUTPUT chain so that HAProxy will capture locally generated packet as
> well.
>
> how do I create the OUPUT chain mangle table?
>
> Regards,
> -Abdul jaleel K
>
> On Fri, Nov 13, 2015 at 1:12 PM, Aleksandar Lazic <al-hapr...@none.at>
> wrote:
>
>> Hi.
>>
>> But do you really think this is a haproxy Problem?
>>
>> Am 13-11-2015 08:38, schrieb Aleksandar Lazic:
>>
>>> Am 13-11-2015 06:14, schrieb jaleel:
>>>
>>>> It works if HAProxy and backend are in different box, but when both are
>>>> in same box it didn't work
>>>>
>>>
>>> Maybe because the iptables rule is a different from 'localhost' then
>>> from external.
>>>
>>> Please take a look at the picture
>>>
>>>
>>> https://ixquick-proxy.com/do/spg/show_picture.pl?l=english=1=http%3A%2F%2Ferlerobotics.gitbooks.io%2Ferle-robotics-introduction-to-linux-networking%2Fcontent%2Fsecurity%2Fimg9%2Fiptables.gif=5ac7f7d4aa8327c04f456b9db2362108
>>>
>>
>> or this one
>>
>> http://inai.de/images/nf-packet-flow.png
>>
>> from this site
>>
>>
>> http://serverfault.com/questions/345111/iptables-target-to-route-packet-to-specific-interface
>>
>>
>> and the document for this Picture.
>>>
>>>
>>> https://erlerobotics.gitbooks.io/erle-robotics-introduction-to-linux-networking/content/security/introduction_to_iptables.html
>>>
>>> I think you should add some lines into the postrouting table
>>>
>>> BR Aleks
>>>
>>> On Fri, Nov 13, 2015 at 1:56 AM, Igor Cicimov
>>>> <ig...@encompasscorporation.com> wrote:
>>>>
>>>> On 13/11/2015 1:04 AM, "jaleel" <abduljal...@gmail.com> wrote:
>>>>>
>>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> I am trying to setup the following for deployment
>>>>>>
>>>>>> I have 2 servers.
>>>>>> server1: eth0:10.200.2.211 (255.255.252.0)
>>>>>> eth1: 192.168.10.10 (255.255.255.0)
>>>>>> server2: eth0: 10.200.2.242 (255.255.252.0)
>>>>>> eth1: 192.168.20.10 (255.255.255.0)
>>>>>>
>>>>>> VRRP between server1 and server2 eth0. VRIP is 10.200.3.84
>>>>>>
>>>>>>
>>>>>> my haproxy config:
>>>>>> --
>>>>>> listen  ingress_traffic 10.200.3.84:7000 [1]
>>>>>> mode tcp
>>>>>> source 0.0.0.0 usesrc clientip
>>>>>> balance roundrobin
>>>>>> server server1 192.168.10.10:9001 [2]
>>>>>> server server2 192.168.20.10:9001 [3]
>>>>>>
>>>>>> Iptables:
>>>>>> ---
>>>>>> iptables -t mangle -N DIVERT
>>>>>> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
>>>>>> iptables -t mangle -A DIVERT -j MARK --set-mark 1
>>>>>> iptables -t mangle -A DIVERT -j ACCEPT
>>>>>>
>>>>>> ip rule add fwmark 1 lookup 100
>>>>>> ip route add local 0.0.0.0/0 [4] dev lo table 100
>>>>>>
>>>>>>
>>>>>> Now 10.200.2.211 is the master and owns VRIP 10.200.3.84
>>>>>>
>>>>>> When traffic comes to 10.200.3.84:7000 [1], the routing to server2
>>>>>>
>>>>> is successful and end-to-end communication is fine. But the response
>>>>> from server1 (192.168.10.10:9001 [2]) is not reaching HAProxy.
>>>>>
>>>>>>
>>>>>> I cannot have 3rd box for HAProxy alone.
>>>>>>
>>>>>> Any suggestions
>>>>>>
>>>>>> Thank you
>>>>>> -Abdul Jaleel
>>>>>>
>>>>>>
>>>>>> The backends need to have haproxy set as gateway.
>>>>>
>>>>
>>>>
>>>>
>>>> Links:
>>>> --
>>>> [1] http://10.200.3.84:7000
>>>> [2] http://192.168.10.10:9001
>>>> [3] http://192.168.20.10:9001
>>>> [4] http://0.0.0.0/0
>>>>
>>>
>


Re: HAProxy and backend on the same box

2015-11-16 Thread jaleel
Hello All,

Need help regarding the iptables

For the packet coming from network, I set the iptables as following

iptables -t mangle -N DIVERT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT

ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100

For the packet generated locally, I think I need to set the mangle table in
OUTPUT chain so that HAProxy will capture locally generated packet as well.

how do I create the OUPUT chain mangle table?

Regards,
-Abdul jaleel K

On Fri, Nov 13, 2015 at 1:12 PM, Aleksandar Lazic <al-hapr...@none.at>
wrote:

> Hi.
>
> But do you really think this is a haproxy Problem?
>
> Am 13-11-2015 08:38, schrieb Aleksandar Lazic:
>
>> Am 13-11-2015 06:14, schrieb jaleel:
>>
>>> It works if HAProxy and backend are in different box, but when both are
>>> in same box it didn't work
>>>
>>
>> Maybe because the iptables rule is a different from 'localhost' then
>> from external.
>>
>> Please take a look at the picture
>>
>>
>> https://ixquick-proxy.com/do/spg/show_picture.pl?l=english=1=http%3A%2F%2Ferlerobotics.gitbooks.io%2Ferle-robotics-introduction-to-linux-networking%2Fcontent%2Fsecurity%2Fimg9%2Fiptables.gif=5ac7f7d4aa8327c04f456b9db2362108
>>
>
> or this one
>
> http://inai.de/images/nf-packet-flow.png
>
> from this site
>
>
> http://serverfault.com/questions/345111/iptables-target-to-route-packet-to-specific-interface
>
>
> and the document for this Picture.
>>
>>
>> https://erlerobotics.gitbooks.io/erle-robotics-introduction-to-linux-networking/content/security/introduction_to_iptables.html
>>
>> I think you should add some lines into the postrouting table
>>
>> BR Aleks
>>
>> On Fri, Nov 13, 2015 at 1:56 AM, Igor Cicimov
>>> <ig...@encompasscorporation.com> wrote:
>>>
>>> On 13/11/2015 1:04 AM, "jaleel" <abduljal...@gmail.com> wrote:
>>>>
>>>>>
>>>>> Hello,
>>>>>
>>>>> I am trying to setup the following for deployment
>>>>>
>>>>> I have 2 servers.
>>>>> server1: eth0:10.200.2.211 (255.255.252.0)
>>>>> eth1: 192.168.10.10 (255.255.255.0)
>>>>> server2: eth0: 10.200.2.242 (255.255.252.0)
>>>>> eth1: 192.168.20.10 (255.255.255.0)
>>>>>
>>>>> VRRP between server1 and server2 eth0. VRIP is 10.200.3.84
>>>>>
>>>>>
>>>>> my haproxy config:
>>>>> --
>>>>> listen  ingress_traffic 10.200.3.84:7000 [1]
>>>>> mode tcp
>>>>> source 0.0.0.0 usesrc clientip
>>>>> balance roundrobin
>>>>> server server1 192.168.10.10:9001 [2]
>>>>> server server2 192.168.20.10:9001 [3]
>>>>>
>>>>> Iptables:
>>>>> ---
>>>>> iptables -t mangle -N DIVERT
>>>>> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
>>>>> iptables -t mangle -A DIVERT -j MARK --set-mark 1
>>>>> iptables -t mangle -A DIVERT -j ACCEPT
>>>>>
>>>>> ip rule add fwmark 1 lookup 100
>>>>> ip route add local 0.0.0.0/0 [4] dev lo table 100
>>>>>
>>>>>
>>>>> Now 10.200.2.211 is the master and owns VRIP 10.200.3.84
>>>>>
>>>>> When traffic comes to 10.200.3.84:7000 [1], the routing to server2
>>>>>
>>>> is successful and end-to-end communication is fine. But the response
>>>> from server1 (192.168.10.10:9001 [2]) is not reaching HAProxy.
>>>>
>>>>>
>>>>> I cannot have 3rd box for HAProxy alone.
>>>>>
>>>>> Any suggestions
>>>>>
>>>>> Thank you
>>>>> -Abdul Jaleel
>>>>>
>>>>>
>>>>> The backends need to have haproxy set as gateway.
>>>>
>>>
>>>
>>>
>>> Links:
>>> --
>>> [1] http://10.200.3.84:7000
>>> [2] http://192.168.10.10:9001
>>> [3] http://192.168.20.10:9001
>>> [4] http://0.0.0.0/0
>>>
>>


Re: HAProxy and backend on the same box

2015-11-13 Thread jaleel
On Fri, Nov 13, 2015 at 1:12 PM, Aleksandar Lazic <al-hapr...@none.at>
wrote:

> Hi.
>
> But do you really think this is a haproxy Problem?
>
> Am 13-11-2015 08:38, schrieb Aleksandar Lazic:
>
>> Am 13-11-2015 06:14, schrieb jaleel:
>>
>>> It works if HAProxy and backend are in different box, but when both are
>>> in same box it didn't work
>>>
>>
>> Maybe because the iptables rule is a different from 'localhost' then
>> from external.
>>
>

> Abdul Jaleel: Yes,Looks so Let me explore on the iptables
>>
>

> Please take a look at the picture
>>
>>
>> https://ixquick-proxy.com/do/spg/show_picture.pl?l=english=1=http%3A%2F%2Ferlerobotics.gitbooks.io%2Ferle-robotics-introduction-to-linux-networking%2Fcontent%2Fsecurity%2Fimg9%2Fiptables.gif=5ac7f7d4aa8327c04f456b9db2362108
>>
>
> or this one
>
> http://inai.de/images/nf-packet-flow.png
>
> from this site
>
>
> http://serverfault.com/questions/345111/iptables-target-to-route-packet-to-specific-interface
>
>
> and the document for this Picture.
>>
>>
>> https://erlerobotics.gitbooks.io/erle-robotics-introduction-to-linux-networking/content/security/introduction_to_iptables.html
>>
>> I think you should add some lines into the postrouting table
>>
>> BR Aleks
>>
>> On Fri, Nov 13, 2015 at 1:56 AM, Igor Cicimov
>>> <ig...@encompasscorporation.com> wrote:
>>>
>>> On 13/11/2015 1:04 AM, "jaleel" <abduljal...@gmail.com> wrote:
>>>>
>>>>>
>>>>> Hello,
>>>>>
>>>>> I am trying to setup the following for deployment
>>>>>
>>>>> I have 2 servers.
>>>>> server1: eth0:10.200.2.211 (255.255.252.0)
>>>>> eth1: 192.168.10.10 (255.255.255.0)
>>>>> server2: eth0: 10.200.2.242 (255.255.252.0)
>>>>> eth1: 192.168.20.10 (255.255.255.0)
>>>>>
>>>>> VRRP between server1 and server2 eth0. VRIP is 10.200.3.84
>>>>>
>>>>>
>>>>> my haproxy config:
>>>>> --
>>>>> listen  ingress_traffic 10.200.3.84:7000 [1]
>>>>> mode tcp
>>>>> source 0.0.0.0 usesrc clientip
>>>>> balance roundrobin
>>>>> server server1 192.168.10.10:9001 [2]
>>>>> server server2 192.168.20.10:9001 [3]
>>>>>
>>>>> Iptables:
>>>>> ---
>>>>> iptables -t mangle -N DIVERT
>>>>> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
>>>>> iptables -t mangle -A DIVERT -j MARK --set-mark 1
>>>>> iptables -t mangle -A DIVERT -j ACCEPT
>>>>>
>>>>> ip rule add fwmark 1 lookup 100
>>>>> ip route add local 0.0.0.0/0 [4] dev lo table 100
>>>>>
>>>>>
>>>>> Now 10.200.2.211 is the master and owns VRIP 10.200.3.84
>>>>>
>>>>> When traffic comes to 10.200.3.84:7000 [1], the routing to server2
>>>>>
>>>> is successful and end-to-end communication is fine. But the response
>>>> from server1 (192.168.10.10:9001 [2]) is not reaching HAProxy.
>>>>
>>>>>
>>>>> I cannot have 3rd box for HAProxy alone.
>>>>>
>>>>> Any suggestions
>>>>>
>>>>> Thank you
>>>>> -Abdul Jaleel
>>>>>
>>>>>
>>>>> The backends need to have haproxy set as gateway.
>>>>
>>>
>>>
>>>
>>> Links:
>>> --
>>> [1] http://10.200.3.84:7000
>>> [2] http://192.168.10.10:9001
>>> [3] http://192.168.20.10:9001
>>> [4] http://0.0.0.0/0
>>>
>>


HAProxy and backend on the same box

2015-11-12 Thread jaleel
Hello,

I am trying to setup the following for deployment

I have 2 servers.
server1: eth0:10.200.2.211 (255.255.252.0)
eth1: 192.168.10.10 (255.255.255.0)
server2: eth0: 10.200.2.242 (255.255.252.0)
eth1: 192.168.20.10 (255.255.255.0)

VRRP between server1 and server2 eth0. VRIP is 10.200.3.84


my haproxy config:
--
listen  ingress_traffic 10.200.3.84:7000
mode tcp
source 0.0.0.0 usesrc clientip
balance roundrobin
server server1 192.168.10.10:9001
server server2 192.168.20.10:9001

Iptables:
---
iptables -t mangle -N DIVERT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT

ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100


Now 10.200.2.211 is the master and owns VRIP 10.200.3.84

When traffic comes to 10.200.3.84:7000, the routing to server2 is
successful and end-to-end communication is fine. But the response from
server1 (192.168.10.10:9001) is not reaching HAProxy.

I cannot have 3rd box for HAProxy alone.

Any suggestions

Thank you
-Abdul Jaleel


Re: HAProxy and backend on the same box

2015-11-12 Thread jaleel
It works if HAProxy and backend are in different box, but when both are in
same box it didn't work

On Fri, Nov 13, 2015 at 1:56 AM, Igor Cicimov <
ig...@encompasscorporation.com> wrote:

>
> On 13/11/2015 1:04 AM, "jaleel" <abduljal...@gmail.com> wrote:
> >
> > Hello,
> >
> > I am trying to setup the following for deployment
> >
> > I have 2 servers.
> > server1: eth0:10.200.2.211 (255.255.252.0)
> > eth1: 192.168.10.10 (255.255.255.0)
> > server2: eth0: 10.200.2.242 (255.255.252.0)
> > eth1: 192.168.20.10 (255.255.255.0)
> >
> > VRRP between server1 and server2 eth0. VRIP is 10.200.3.84
> >
> >
> > my haproxy config:
> > --
> > listen  ingress_traffic 10.200.3.84:7000
> > mode tcp
> > source 0.0.0.0 usesrc clientip
> > balance roundrobin
> > server server1 192.168.10.10:9001
> > server server2 192.168.20.10:9001
> >
> > Iptables:
> > ---
> > iptables -t mangle -N DIVERT
> > iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
> > iptables -t mangle -A DIVERT -j MARK --set-mark 1
> > iptables -t mangle -A DIVERT -j ACCEPT
> >
> > ip rule add fwmark 1 lookup 100
> > ip route add local 0.0.0.0/0 dev lo table 100
> >
> >
> > Now 10.200.2.211 is the master and owns VRIP 10.200.3.84
> >
> > When traffic comes to 10.200.3.84:7000, the routing to server2 is
> successful and end-to-end communication is fine. But the response from
> server1 (192.168.10.10:9001) is not reaching HAProxy.
> >
> > I cannot have 3rd box for HAProxy alone.
> >
> > Any suggestions
> >
> > Thank you
> > -Abdul Jaleel
> >
> >
> The backends need to have haproxy set as gateway.
>
>