Mailing List Archive: [lvs-users] LVS and Nat question

[lvs-users] LVS and Nat question

Oct 23, 2012, 5:49 PM

Post #1 of 13 (4584 views)

I have been search and searching and I can't seem to solve my issue.

I have two load balancers that have real IP's that resolve to the domain
name. I then have real servers that have internal IP's and want the
traffic to go through the Load Balancers and send requests to the Web
Servers and then return a response to the client.

I can see the pulse going to the Web Servers, but I cannot get any traffic
coming in to the load balancers.

Below is my configuration. Do I have this configured correctly or not? If
not, please guide me in fixing this. I know lots of people have been
doing this, so it shouldn't be as complicated as I am making it.

The system is CentOS 6.3. When I try to hit the real ip, it acts as if
nothing is listening. Do I need something in front of the load balancer
or should NAT take care of that.

I would assume that traffic hits the Internet IP, traffic gets inspected
and then routed properly. I know nothing is currently listening on port
80, but shouldn't NAT just forward where it should go?

Having said all that, here is the configuration:

iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:servistaitsm
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:apertus-ldp
REJECT all -- anywhere anywhere reject-with
icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere 192.168.0.30 tcp dpt:http
REJECT all -- anywhere anywhere reject-with
icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 3636 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 539 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -d 192.168.0.30/32 -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited

cat /etc/sysconfig/ha/lvs.cf
serial_no = 42
primary = 98.190.148.186
service = lvs
backup_active = 0
backup = 98.190.148.191
heartbeat = 1
heartbeat_port = 539
keepalive = 6
deadtime = 18
network = nat
nat_router = 192.168.0.30 eth1:1
nat_nmask = 255.255.255.255
debug_level = NONE
monitor_links = 1
syncdaemon = 1
syncd_iface = eth0
syncd_id = 0
virtual WWW {
active = 1
address = 192.168.0.30 eth1:1
vip_nmask = 255.255.255.255
port = 80
send = "GET / HTTP/1.0\r\n\r\n"
expect = "HTTP"
use_regex = 0
load_monitor = none
scheduler = wlc
protocol = tcp
timeout = 6
reentry = 15
quiesce_server = 0
server Web_Server_1 {
address = 192.168.0.121
active = 1
weight = 1
}
server Web_Server_2 {
address = 192.168.0.122
active = 1
weight = 1
}
}
virtual FTP {
active = 0
address = 192.168.0.35 eth1:2
vip_nmask = 255.255.255.255
port = 21
send = "GET / HTTP/1.0\r\n\r\n"
expect = "HTTP"
use_regex = 0
load_monitor = none
scheduler = wlc
protocol = tcp
timeout = 6
reentry = 15
quiesce_server = 0
}

cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 3636 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 539 -j ACCEPT
-A FORWARD -d 192.168.0.30/32 -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

ifconfig
eth0 Link encap:Ethernet HWaddr 00:02:B3:EA:6A:02
inet addr:98.190.148.186 Bcast:98.190.148.191
Mask:255.255.255.240
inet6 addr: fe80::202:b3ff:feea:6a02/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:119099 errors:0 dropped:0 overruns:0 frame:0
TX packets:100813 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:19788044 (18.8 MiB) TX bytes:54455227 (51.9 MiB)

eth1 Link encap:Ethernet HWaddr 00:02:B3:EA:69:70
inet addr:192.168.0.8 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::202:b3ff:feea:6970/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:197713 errors:0 dropped:0 overruns:0 frame:0
TX packets:275117 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:26729362 (25.4 MiB) TX bytes:19494242 (18.5 MiB)

eth1:1 Link encap:Ethernet HWaddr 00:02:B3:EA:69:70
inet addr:192.168.0.30 Bcast:192.168.0.30 Mask:255.255.255.255
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:294500513 errors:0 dropped:0 overruns:0 frame:0
TX packets:294500513 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2909378118 (2.7 GiB) TX bytes:2909378118 (2.7 GiB)

cat /etc/sysctl.conf
# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.

# Controls IP packet forwarding
#net.ipv4.ip_forward = 0
net.ipv4.ip_forward = 1

# Controls source route verification
net.ipv4.conf.default.rp_filter = 1

# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0

# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0

# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1

# Controls the use of TCP syncookies
net.ipv4.tcp_syncookies = 1

# Disable netfilter on bridges.
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0

# Controls the default maxmimum size of a mesage queue
kernel.msgmnb = 65536

# Controls the maximum size of a message, in bytes
kernel.msgmax = 65536

# Controls the maximum shared segment size, in bytes
kernel.shmmax = 4294967295

# Controls the maximum number of shared memory segments, in pages
kernel.shmall = 268435456

[root@lb1 ~]# ipvsadm -L
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 192.168.0.120:http wlc
-> 192.168.0.121:http Masq 1 0 0
-> 192.168.0.122:http Masq 1 0 0

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users