Mailing List Archive

[lvs-users] Packets Not Reaching Real Server
Hi Everyone,

I am trying to learn LVS and have created the setup below (better
formatting at Server Fault http://serverfault.com/questions/816026/lvs-load-
balancer-not-getting-response). The LVS setup seems correct, but it
appears that the connections never make it to the real server, even though
traffic is being sent from the director. I am under the impression that no
iptables rules are required since the real server is added with
masquerade. Is this incorrect? I have read through the HOWTO multiple
times but am not clear on what is needed.

**Director Host**

root@ip-172-31-16-196:/home/ubuntu# cat /proc/sys/net/ipv4/ip_forward
1

root@ip-172-31-16-196:/home/ubuntu# ifconfig
eth0 Link encap:Ethernet HWaddr 06:a0:5b:48:1b:f5
inet addr:172.31.16.196 Bcast:172.31.31.255
Mask:255.255.240.0
inet6 addr: fe80::4a0:5bff:fe48:1bf5/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:9001 Metric:1
RX packets:4211 errors:0 dropped:0 overruns:0 frame:0
TX packets:3692 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:416625 (416.6 KB) TX bytes:406446 (406.4 KB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:173 errors:0 dropped:0 overruns:0 frame:0
TX packets:173 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:12776 (12.7 KB) TX bytes:12776 (12.7 KB)

root@ip-172-31-16-196:/home/ubuntu# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 172.31.16.196:80 rr
-> 172.31.16.195:80 Masq 1 0 0

root@ip-172-31-16-196:/home/ubuntu# ipvsadm -Ln --stats
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Conns InPkts OutPkts InBytes
OutBytes
-> RemoteAddress:Port
TCP 172.31.16.196:80 23 122 0 6436
0
-> 172.31.16.195:80 23 122 0 6436
0

root@ip-172-31-16-196:/home/ubuntu# curl 172.31.16.195-vv
* Rebuilt URL to: 172.31.16.195/
* Trying 172.31.16.195...
* Connected to 172.31.16.195 (172.31.16.195) port 80 (#0)
> GET / HTTP/1.1
> Host: 172.31.16.195
> User-Agent: curl/7.47.0
> Accept: */*
>
* HTTP 1.0, assume close after body
< HTTP/1.0 200 OK
< Server: SimpleHTTP/0.6 Python/2.7.12
< Date: Mon, 21 Nov 2016 04:59:04 GMT
< Content-type: text/html
< Content-Length: 26
< Last-Modified: Mon, 21 Nov 2016 00:58:21 GMT
<
>From server 172.31.16.195
* Closing connection 0

# Show the public IP of this host
root@ip-172-31-16-196:/home/ubuntu# wget http://ipinfo.io/ip -qO -
52.15.105.107

**Backend Server**

root@ip-172-31-16-195:/home/ubuntu# netstat -tnlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
2444/python
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
1221/sshd
tcp6 0 0 :::22 :::* LISTEN
1221/sshd

root@ip-172-31-16-195:/home/ubuntu# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
>From Remote Client

# Hitting the public IP
$ curl -vvv http://52.15.105.107/
* Trying 52.15.105.107...
* Connected to 52.15.105.107 (127.0.0.1) port 80 (#0)
> GET / HTTP/1.1
> Host: 52.15.105.107
> User-Agent: curl/7.43.0
> Accept: */*
>
< HTTP/1.1 504 Gateway Time-out
< Server: ScanSafe
< Mime-Version: 1.0
< Date: Mon, 21 Nov 2016 05:40:50 GMT
< Content-Type: text/html
< Content-Length: 1664
< X-ScanSafe-Error: ERR_CONNECT_FAIL 110
< Keep-Alive: 60
< Via: HTTP/1.1 proxy10829
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
Re: [lvs-users] Packets Not Reaching Real Server [ In reply to ]
Usually for MASQ/NAT mode the real server would be in a different
subnet with the LVS server set as the default gateway.

If you want to do one-arm i.e. same subnet MASQ then the test client
needs to be in a separate subnet OR you need to have special routing
rules on the real (backend) server.





On 21 November 2016 at 18:26, Nick Leli <nicholasleli@gmail.com> wrote:
> Hi Everyone,
>
> I am trying to learn LVS and have created the setup below (better
> formatting at Server Fault http://serverfault.com/questions/816026/lvs-load-
> balancer-not-getting-response). The LVS setup seems correct, but it
> appears that the connections never make it to the real server, even though
> traffic is being sent from the director. I am under the impression that no
> iptables rules are required since the real server is added with
> masquerade. Is this incorrect? I have read through the HOWTO multiple
> times but am not clear on what is needed.
>
> **Director Host**
>
> root@ip-172-31-16-196:/home/ubuntu# cat /proc/sys/net/ipv4/ip_forward
> 1
>
> root@ip-172-31-16-196:/home/ubuntu# ifconfig
> eth0 Link encap:Ethernet HWaddr 06:a0:5b:48:1b:f5
> inet addr:172.31.16.196 Bcast:172.31.31.255
> Mask:255.255.240.0
> inet6 addr: fe80::4a0:5bff:fe48:1bf5/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:9001 Metric:1
> RX packets:4211 errors:0 dropped:0 overruns:0 frame:0
> TX packets:3692 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:416625 (416.6 KB) TX bytes:406446 (406.4 KB)
>
> lo Link encap:Local Loopback
> inet addr:127.0.0.1 Mask:255.0.0.0
> inet6 addr: ::1/128 Scope:Host
> UP LOOPBACK RUNNING MTU:65536 Metric:1
> RX packets:173 errors:0 dropped:0 overruns:0 frame:0
> TX packets:173 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1
> RX bytes:12776 (12.7 KB) TX bytes:12776 (12.7 KB)
>
> root@ip-172-31-16-196:/home/ubuntu# ipvsadm -Ln
> IP Virtual Server version 1.2.1 (size=4096)
> Prot LocalAddress:Port Scheduler Flags
> -> RemoteAddress:Port Forward Weight ActiveConn InActConn
> TCP 172.31.16.196:80 rr
> -> 172.31.16.195:80 Masq 1 0 0
>
> root@ip-172-31-16-196:/home/ubuntu# ipvsadm -Ln --stats
> IP Virtual Server version 1.2.1 (size=4096)
> Prot LocalAddress:Port Conns InPkts OutPkts InBytes
> OutBytes
> -> RemoteAddress:Port
> TCP 172.31.16.196:80 23 122 0 6436
> 0
> -> 172.31.16.195:80 23 122 0 6436
> 0
>
> root@ip-172-31-16-196:/home/ubuntu# curl 172.31.16.195-vv
> * Rebuilt URL to: 172.31.16.195/
> * Trying 172.31.16.195...
> * Connected to 172.31.16.195 (172.31.16.195) port 80 (#0)
>> GET / HTTP/1.1
>> Host: 172.31.16.195
>> User-Agent: curl/7.47.0
>> Accept: */*
>>
> * HTTP 1.0, assume close after body
> < HTTP/1.0 200 OK
> < Server: SimpleHTTP/0.6 Python/2.7.12
> < Date: Mon, 21 Nov 2016 04:59:04 GMT
> < Content-type: text/html
> < Content-Length: 26
> < Last-Modified: Mon, 21 Nov 2016 00:58:21 GMT
> <
> >From server 172.31.16.195
> * Closing connection 0
>
> # Show the public IP of this host
> root@ip-172-31-16-196:/home/ubuntu# wget http://ipinfo.io/ip -qO -
> 52.15.105.107
>
> **Backend Server**
>
> root@ip-172-31-16-195:/home/ubuntu# netstat -tnlp
> Active Internet connections (only servers)
> Proto Recv-Q Send-Q Local Address Foreign Address State
> PID/Program name
> tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
> 2444/python
> tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
> 1221/sshd
> tcp6 0 0 :::22 :::* LISTEN
> 1221/sshd
>
> root@ip-172-31-16-195:/home/ubuntu# iptables -L -t nat
> Chain PREROUTING (policy ACCEPT)
> target prot opt source destination
>
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
> Chain POSTROUTING (policy ACCEPT)
> target prot opt source destination
> >From Remote Client
>
> # Hitting the public IP
> $ curl -vvv http://52.15.105.107/
> * Trying 52.15.105.107...
> * Connected to 52.15.105.107 (127.0.0.1) port 80 (#0)
>> GET / HTTP/1.1
>> Host: 52.15.105.107
>> User-Agent: curl/7.43.0
>> Accept: */*
>>
> < HTTP/1.1 504 Gateway Time-out
> < Server: ScanSafe
> < Mime-Version: 1.0
> < Date: Mon, 21 Nov 2016 05:40:50 GMT
> < Content-Type: text/html
> < Content-Length: 1664
> < X-ScanSafe-Error: ERR_CONNECT_FAIL 110
> < Keep-Alive: 60
> < Via: HTTP/1.1 proxy10829
> _______________________________________________
> Please read the documentation before posting - it's available at:
> http://www.linuxvirtualserver.org/
>
> LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
> Send requests to lvs-users-request@LinuxVirtualServer.org
> or go to http://lists.graemef.net/mailman/listinfo/lvs-users



--
Regards,

Malcolm Turnbull.

Loadbalancer.org Ltd.
Phone: +44 (0)330 380 1064
http://www.loadbalancer.org/

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
Re: [lvs-users] Packets Not Reaching Real Server [ In reply to ]
Thanks Malcom. So in this scenario, the client is in a different subnet;
it's coming from the public Internet. I am looking for the easiest route
to get something running so any logical recommendations are greatly
appreciated. Here is the current topology:

my laptop, connected to public
internet
|
|
|
V
LVS host in AWS with public IP
|
|
|
V
Real server in AWS within same
VPC/subnet

What routing rules are needed on the backend server to get this to at least
work in this simple setup. Are iptables rules still required to masquerade
on eth0 or do you need to permanently change the routes?

On Mon, Nov 21, 2016 at 10:53 AM, Malcolm Turnbull <malcolm@loadbalancer.org
> wrote:

> Usually for MASQ/NAT mode the real server would be in a different
> subnet with the LVS server set as the default gateway.
>
> If you want to do one-arm i.e. same subnet MASQ then the test client
> needs to be in a separate subnet OR you need to have special routing
> rules on the real (backend) server.
>
>
>
>
>
> On 21 November 2016 at 18:26, Nick Leli <nicholasleli@gmail.com> wrote:
> > Hi Everyone,
> >
> > I am trying to learn LVS and have created the setup below (better
> > formatting at Server Fault http://serverfault.com/
> questions/816026/lvs-load-
> > balancer-not-getting-response). The LVS setup seems correct, but it
> > appears that the connections never make it to the real server, even
> though
> > traffic is being sent from the director. I am under the impression that
> no
> > iptables rules are required since the real server is added with
> > masquerade. Is this incorrect? I have read through the HOWTO multiple
> > times but am not clear on what is needed.
> >
> > **Director Host**
> >
> > root@ip-172-31-16-196:/home/ubuntu# cat /proc/sys/net/ipv4/ip_forward
> > 1
> >
> > root@ip-172-31-16-196:/home/ubuntu# ifconfig
> > eth0 Link encap:Ethernet HWaddr 06:a0:5b:48:1b:f5
> > inet addr:172.31.16.196 Bcast:172.31.31.255
> > Mask:255.255.240.0
> > inet6 addr: fe80::4a0:5bff:fe48:1bf5/64 Scope:Link
> > UP BROADCAST RUNNING MULTICAST MTU:9001 Metric:1
> > RX packets:4211 errors:0 dropped:0 overruns:0 frame:0
> > TX packets:3692 errors:0 dropped:0 overruns:0 carrier:0
> > collisions:0 txqueuelen:1000
> > RX bytes:416625 (416.6 KB) TX bytes:406446 (406.4 KB)
> >
> > lo Link encap:Local Loopback
> > inet addr:127.0.0.1 Mask:255.0.0.0
> > inet6 addr: ::1/128 Scope:Host
> > UP LOOPBACK RUNNING MTU:65536 Metric:1
> > RX packets:173 errors:0 dropped:0 overruns:0 frame:0
> > TX packets:173 errors:0 dropped:0 overruns:0 carrier:0
> > collisions:0 txqueuelen:1
> > RX bytes:12776 (12.7 KB) TX bytes:12776 (12.7 KB)
> >
> > root@ip-172-31-16-196:/home/ubuntu# ipvsadm -Ln
> > IP Virtual Server version 1.2.1 (size=4096)
> > Prot LocalAddress:Port Scheduler Flags
> > -> RemoteAddress:Port Forward Weight ActiveConn InActConn
> > TCP 172.31.16.196:80 rr
> > -> 172.31.16.195:80 Masq 1 0 0
> >
> > root@ip-172-31-16-196:/home/ubuntu# ipvsadm -Ln --stats
> > IP Virtual Server version 1.2.1 (size=4096)
> > Prot LocalAddress:Port Conns InPkts OutPkts InBytes
> > OutBytes
> > -> RemoteAddress:Port
> > TCP 172.31.16.196:80 23 122 0 6436
> > 0
> > -> 172.31.16.195:80 23 122 0 6436
> > 0
> >
> > root@ip-172-31-16-196:/home/ubuntu# curl 172.31.16.195-vv
> > * Rebuilt URL to: 172.31.16.195/
> > * Trying 172.31.16.195...
> > * Connected to 172.31.16.195 (172.31.16.195) port 80 (#0)
> >> GET / HTTP/1.1
> >> Host: 172.31.16.195
> >> User-Agent: curl/7.47.0
> >> Accept: */*
> >>
> > * HTTP 1.0, assume close after body
> > < HTTP/1.0 200 OK
> > < Server: SimpleHTTP/0.6 Python/2.7.12
> > < Date: Mon, 21 Nov 2016 04:59:04 GMT
> > < Content-type: text/html
> > < Content-Length: 26
> > < Last-Modified: Mon, 21 Nov 2016 00:58:21 GMT
> > <
> > >From server 172.31.16.195
> > * Closing connection 0
> >
> > # Show the public IP of this host
> > root@ip-172-31-16-196:/home/ubuntu# wget http://ipinfo.io/ip -qO -
> > 52.15.105.107
> >
> > **Backend Server**
> >
> > root@ip-172-31-16-195:/home/ubuntu# netstat -tnlp
> > Active Internet connections (only servers)
> > Proto Recv-Q Send-Q Local Address Foreign Address State
> > PID/Program name
> > tcp 0 0 0.0.0.0:80 0.0.0.0:*
> LISTEN
> > 2444/python
> > tcp 0 0 0.0.0.0:22 0.0.0.0:*
> LISTEN
> > 1221/sshd
> > tcp6 0 0 :::22 :::*
> LISTEN
> > 1221/sshd
> >
> > root@ip-172-31-16-195:/home/ubuntu# iptables -L -t nat
> > Chain PREROUTING (policy ACCEPT)
> > target prot opt source destination
> >
> > Chain INPUT (policy ACCEPT)
> > target prot opt source destination
> >
> > Chain OUTPUT (policy ACCEPT)
> > target prot opt source destination
> >
> > Chain POSTROUTING (policy ACCEPT)
> > target prot opt source destination
> > >From Remote Client
> >
> > # Hitting the public IP
> > $ curl -vvv http://52.15.105.107/
> > * Trying 52.15.105.107...
> > * Connected to 52.15.105.107 (127.0.0.1) port 80 (#0)
> >> GET / HTTP/1.1
> >> Host: 52.15.105.107
> >> User-Agent: curl/7.43.0
> >> Accept: */*
> >>
> > < HTTP/1.1 504 Gateway Time-out
> > < Server: ScanSafe
> > < Mime-Version: 1.0
> > < Date: Mon, 21 Nov 2016 05:40:50 GMT
> > < Content-Type: text/html
> > < Content-Length: 1664
> > < X-ScanSafe-Error: ERR_CONNECT_FAIL 110
> > < Keep-Alive: 60
> > < Via: HTTP/1.1 proxy10829
> > _______________________________________________
> > Please read the documentation before posting - it's available at:
> > http://www.linuxvirtualserver.org/
> >
> > LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
> > Send requests to lvs-users-request@LinuxVirtualServer.org
> > or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>
>
>
> --
> Regards,
>
> Malcolm Turnbull.
>
> Loadbalancer.org Ltd.
> Phone: +44 (0)330 380 1064
> http://www.loadbalancer.org/
>
> _______________________________________________
> Please read the documentation before posting - it's available at:
> http://www.linuxvirtualserver.org/
>
> LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
> Send requests to lvs-users-request@LinuxVirtualServer.org
> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
Re: [lvs-users] Packets Not Reaching Real Server [ In reply to ]
Nick,

AWS is a good place to use a one arm nat configuration (because all
the clients are usually remote)

As long as the real server has the default gateway set as the load
balancer it should be fine?




On 21 November 2016 at 19:13, Nick Leli <nicholasleli@gmail.com> wrote:
> Thanks Malcom. So in this scenario, the client is in a different subnet;
> it's coming from the public Internet. I am looking for the easiest route
> to get something running so any logical recommendations are greatly
> appreciated. Here is the current topology:
>
> my laptop, connected to public
> internet
> |
> |
> |
> V
> LVS host in AWS with public IP
> |
> |
> |
> V
> Real server in AWS within same
> VPC/subnet
>
> What routing rules are needed on the backend server to get this to at least
> work in this simple setup. Are iptables rules still required to masquerade
> on eth0 or do you need to permanently change the routes?
>
> On Mon, Nov 21, 2016 at 10:53 AM, Malcolm Turnbull <malcolm@loadbalancer.org
>> wrote:
>
>> Usually for MASQ/NAT mode the real server would be in a different
>> subnet with the LVS server set as the default gateway.
>>
>> If you want to do one-arm i.e. same subnet MASQ then the test client
>> needs to be in a separate subnet OR you need to have special routing
>> rules on the real (backend) server.
>>
>>
>>
>>
>>
>> On 21 November 2016 at 18:26, Nick Leli <nicholasleli@gmail.com> wrote:
>> > Hi Everyone,
>> >
>> > I am trying to learn LVS and have created the setup below (better
>> > formatting at Server Fault http://serverfault.com/
>> questions/816026/lvs-load-
>> > balancer-not-getting-response). The LVS setup seems correct, but it
>> > appears that the connections never make it to the real server, even
>> though
>> > traffic is being sent from the director. I am under the impression that
>> no
>> > iptables rules are required since the real server is added with
>> > masquerade. Is this incorrect? I have read through the HOWTO multiple
>> > times but am not clear on what is needed.
>> >
>> > **Director Host**
>> >
>> > root@ip-172-31-16-196:/home/ubuntu# cat /proc/sys/net/ipv4/ip_forward
>> > 1
>> >
>> > root@ip-172-31-16-196:/home/ubuntu# ifconfig
>> > eth0 Link encap:Ethernet HWaddr 06:a0:5b:48:1b:f5
>> > inet addr:172.31.16.196 Bcast:172.31.31.255
>> > Mask:255.255.240.0
>> > inet6 addr: fe80::4a0:5bff:fe48:1bf5/64 Scope:Link
>> > UP BROADCAST RUNNING MULTICAST MTU:9001 Metric:1
>> > RX packets:4211 errors:0 dropped:0 overruns:0 frame:0
>> > TX packets:3692 errors:0 dropped:0 overruns:0 carrier:0
>> > collisions:0 txqueuelen:1000
>> > RX bytes:416625 (416.6 KB) TX bytes:406446 (406.4 KB)
>> >
>> > lo Link encap:Local Loopback
>> > inet addr:127.0.0.1 Mask:255.0.0.0
>> > inet6 addr: ::1/128 Scope:Host
>> > UP LOOPBACK RUNNING MTU:65536 Metric:1
>> > RX packets:173 errors:0 dropped:0 overruns:0 frame:0
>> > TX packets:173 errors:0 dropped:0 overruns:0 carrier:0
>> > collisions:0 txqueuelen:1
>> > RX bytes:12776 (12.7 KB) TX bytes:12776 (12.7 KB)
>> >
>> > root@ip-172-31-16-196:/home/ubuntu# ipvsadm -Ln
>> > IP Virtual Server version 1.2.1 (size=4096)
>> > Prot LocalAddress:Port Scheduler Flags
>> > -> RemoteAddress:Port Forward Weight ActiveConn InActConn
>> > TCP 172.31.16.196:80 rr
>> > -> 172.31.16.195:80 Masq 1 0 0
>> >
>> > root@ip-172-31-16-196:/home/ubuntu# ipvsadm -Ln --stats
>> > IP Virtual Server version 1.2.1 (size=4096)
>> > Prot LocalAddress:Port Conns InPkts OutPkts InBytes
>> > OutBytes
>> > -> RemoteAddress:Port
>> > TCP 172.31.16.196:80 23 122 0 6436
>> > 0
>> > -> 172.31.16.195:80 23 122 0 6436
>> > 0
>> >
>> > root@ip-172-31-16-196:/home/ubuntu# curl 172.31.16.195-vv
>> > * Rebuilt URL to: 172.31.16.195/
>> > * Trying 172.31.16.195...
>> > * Connected to 172.31.16.195 (172.31.16.195) port 80 (#0)
>> >> GET / HTTP/1.1
>> >> Host: 172.31.16.195
>> >> User-Agent: curl/7.47.0
>> >> Accept: */*
>> >>
>> > * HTTP 1.0, assume close after body
>> > < HTTP/1.0 200 OK
>> > < Server: SimpleHTTP/0.6 Python/2.7.12
>> > < Date: Mon, 21 Nov 2016 04:59:04 GMT
>> > < Content-type: text/html
>> > < Content-Length: 26
>> > < Last-Modified: Mon, 21 Nov 2016 00:58:21 GMT
>> > <
>> > >From server 172.31.16.195
>> > * Closing connection 0
>> >
>> > # Show the public IP of this host
>> > root@ip-172-31-16-196:/home/ubuntu# wget http://ipinfo.io/ip -qO -
>> > 52.15.105.107
>> >
>> > **Backend Server**
>> >
>> > root@ip-172-31-16-195:/home/ubuntu# netstat -tnlp
>> > Active Internet connections (only servers)
>> > Proto Recv-Q Send-Q Local Address Foreign Address State
>> > PID/Program name
>> > tcp 0 0 0.0.0.0:80 0.0.0.0:*
>> LISTEN
>> > 2444/python
>> > tcp 0 0 0.0.0.0:22 0.0.0.0:*
>> LISTEN
>> > 1221/sshd
>> > tcp6 0 0 :::22 :::*
>> LISTEN
>> > 1221/sshd
>> >
>> > root@ip-172-31-16-195:/home/ubuntu# iptables -L -t nat
>> > Chain PREROUTING (policy ACCEPT)
>> > target prot opt source destination
>> >
>> > Chain INPUT (policy ACCEPT)
>> > target prot opt source destination
>> >
>> > Chain OUTPUT (policy ACCEPT)
>> > target prot opt source destination
>> >
>> > Chain POSTROUTING (policy ACCEPT)
>> > target prot opt source destination
>> > >From Remote Client
>> >
>> > # Hitting the public IP
>> > $ curl -vvv http://52.15.105.107/
>> > * Trying 52.15.105.107...
>> > * Connected to 52.15.105.107 (127.0.0.1) port 80 (#0)
>> >> GET / HTTP/1.1
>> >> Host: 52.15.105.107
>> >> User-Agent: curl/7.43.0
>> >> Accept: */*
>> >>
>> > < HTTP/1.1 504 Gateway Time-out
>> > < Server: ScanSafe
>> > < Mime-Version: 1.0
>> > < Date: Mon, 21 Nov 2016 05:40:50 GMT
>> > < Content-Type: text/html
>> > < Content-Length: 1664
>> > < X-ScanSafe-Error: ERR_CONNECT_FAIL 110
>> > < Keep-Alive: 60
>> > < Via: HTTP/1.1 proxy10829
>> > _______________________________________________
>> > Please read the documentation before posting - it's available at:
>> > http://www.linuxvirtualserver.org/
>> >
>> > LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
>> > Send requests to lvs-users-request@LinuxVirtualServer.org
>> > or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>>
>>
>>
>> --
>> Regards,
>>
>> Malcolm Turnbull.
>>
>> Loadbalancer.org Ltd.
>> Phone: +44 (0)330 380 1064
>> http://www.loadbalancer.org/
>>
>> _______________________________________________
>> Please read the documentation before posting - it's available at:
>> http://www.linuxvirtualserver.org/
>>
>> LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
>> Send requests to lvs-users-request@LinuxVirtualServer.org
>> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>>
> _______________________________________________
> Please read the documentation before posting - it's available at:
> http://www.linuxvirtualserver.org/
>
> LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
> Send requests to lvs-users-request@LinuxVirtualServer.org
> or go to http://lists.graemef.net/mailman/listinfo/lvs-users



--
Regards,

Malcolm Turnbull.

Loadbalancer.org Ltd.
Phone: +44 (0)330 380 1064
http://www.loadbalancer.org/

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
Re: [lvs-users] Packets Not Reaching Real Server [ In reply to ]
Nick,

Actually I lied... I was just remembered that you will need to disable
the source and destination checks on the load balancer:

https://loadbalancer.org/uk/blog/transparent-load-balancing-with-haproxy-on-amazon-ec2

• Disable the source / Destination check on the instance in AWS. To do
this go to the EC2 console and select your load balancer instance.
Then select “Actions > Network > Change source/Dest. check” and
Disable this option. Doing so enables the instance to receive traffic
which has a destination IP it does not own.



On 21 November 2016 at 19:49, Malcolm Turnbull <malcolm@loadbalancer.org> wrote:
> Nick,
>
> AWS is a good place to use a one arm nat configuration (because all
> the clients are usually remote)
>
> As long as the real server has the default gateway set as the load
> balancer it should be fine?
>
>
>
>
> On 21 November 2016 at 19:13, Nick Leli <nicholasleli@gmail.com> wrote:
>> Thanks Malcom. So in this scenario, the client is in a different subnet;
>> it's coming from the public Internet. I am looking for the easiest route
>> to get something running so any logical recommendations are greatly
>> appreciated. Here is the current topology:
>>
>> my laptop, connected to public
>> internet
>> |
>> |
>> |
>> V
>> LVS host in AWS with public IP
>> |
>> |
>> |
>> V
>> Real server in AWS within same
>> VPC/subnet
>>
>> What routing rules are needed on the backend server to get this to at least
>> work in this simple setup. Are iptables rules still required to masquerade
>> on eth0 or do you need to permanently change the routes?
>>
>> On Mon, Nov 21, 2016 at 10:53 AM, Malcolm Turnbull <malcolm@loadbalancer.org
>>> wrote:
>>
>>> Usually for MASQ/NAT mode the real server would be in a different
>>> subnet with the LVS server set as the default gateway.
>>>
>>> If you want to do one-arm i.e. same subnet MASQ then the test client
>>> needs to be in a separate subnet OR you need to have special routing
>>> rules on the real (backend) server.
>>>
>>>
>>>
>>>
>>>
>>> On 21 November 2016 at 18:26, Nick Leli <nicholasleli@gmail.com> wrote:
>>> > Hi Everyone,
>>> >
>>> > I am trying to learn LVS and have created the setup below (better
>>> > formatting at Server Fault http://serverfault.com/
>>> questions/816026/lvs-load-
>>> > balancer-not-getting-response). The LVS setup seems correct, but it
>>> > appears that the connections never make it to the real server, even
>>> though
>>> > traffic is being sent from the director. I am under the impression that
>>> no
>>> > iptables rules are required since the real server is added with
>>> > masquerade. Is this incorrect? I have read through the HOWTO multiple
>>> > times but am not clear on what is needed.
>>> >
>>> > **Director Host**
>>> >
>>> > root@ip-172-31-16-196:/home/ubuntu# cat /proc/sys/net/ipv4/ip_forward
>>> > 1
>>> >
>>> > root@ip-172-31-16-196:/home/ubuntu# ifconfig
>>> > eth0 Link encap:Ethernet HWaddr 06:a0:5b:48:1b:f5
>>> > inet addr:172.31.16.196 Bcast:172.31.31.255
>>> > Mask:255.255.240.0
>>> > inet6 addr: fe80::4a0:5bff:fe48:1bf5/64 Scope:Link
>>> > UP BROADCAST RUNNING MULTICAST MTU:9001 Metric:1
>>> > RX packets:4211 errors:0 dropped:0 overruns:0 frame:0
>>> > TX packets:3692 errors:0 dropped:0 overruns:0 carrier:0
>>> > collisions:0 txqueuelen:1000
>>> > RX bytes:416625 (416.6 KB) TX bytes:406446 (406.4 KB)
>>> >
>>> > lo Link encap:Local Loopback
>>> > inet addr:127.0.0.1 Mask:255.0.0.0
>>> > inet6 addr: ::1/128 Scope:Host
>>> > UP LOOPBACK RUNNING MTU:65536 Metric:1
>>> > RX packets:173 errors:0 dropped:0 overruns:0 frame:0
>>> > TX packets:173 errors:0 dropped:0 overruns:0 carrier:0
>>> > collisions:0 txqueuelen:1
>>> > RX bytes:12776 (12.7 KB) TX bytes:12776 (12.7 KB)
>>> >
>>> > root@ip-172-31-16-196:/home/ubuntu# ipvsadm -Ln
>>> > IP Virtual Server version 1.2.1 (size=4096)
>>> > Prot LocalAddress:Port Scheduler Flags
>>> > -> RemoteAddress:Port Forward Weight ActiveConn InActConn
>>> > TCP 172.31.16.196:80 rr
>>> > -> 172.31.16.195:80 Masq 1 0 0
>>> >
>>> > root@ip-172-31-16-196:/home/ubuntu# ipvsadm -Ln --stats
>>> > IP Virtual Server version 1.2.1 (size=4096)
>>> > Prot LocalAddress:Port Conns InPkts OutPkts InBytes
>>> > OutBytes
>>> > -> RemoteAddress:Port
>>> > TCP 172.31.16.196:80 23 122 0 6436
>>> > 0
>>> > -> 172.31.16.195:80 23 122 0 6436
>>> > 0
>>> >
>>> > root@ip-172-31-16-196:/home/ubuntu# curl 172.31.16.195-vv
>>> > * Rebuilt URL to: 172.31.16.195/
>>> > * Trying 172.31.16.195...
>>> > * Connected to 172.31.16.195 (172.31.16.195) port 80 (#0)
>>> >> GET / HTTP/1.1
>>> >> Host: 172.31.16.195
>>> >> User-Agent: curl/7.47.0
>>> >> Accept: */*
>>> >>
>>> > * HTTP 1.0, assume close after body
>>> > < HTTP/1.0 200 OK
>>> > < Server: SimpleHTTP/0.6 Python/2.7.12
>>> > < Date: Mon, 21 Nov 2016 04:59:04 GMT
>>> > < Content-type: text/html
>>> > < Content-Length: 26
>>> > < Last-Modified: Mon, 21 Nov 2016 00:58:21 GMT
>>> > <
>>> > >From server 172.31.16.195
>>> > * Closing connection 0
>>> >
>>> > # Show the public IP of this host
>>> > root@ip-172-31-16-196:/home/ubuntu# wget http://ipinfo.io/ip -qO -
>>> > 52.15.105.107
>>> >
>>> > **Backend Server**
>>> >
>>> > root@ip-172-31-16-195:/home/ubuntu# netstat -tnlp
>>> > Active Internet connections (only servers)
>>> > Proto Recv-Q Send-Q Local Address Foreign Address State
>>> > PID/Program name
>>> > tcp 0 0 0.0.0.0:80 0.0.0.0:*
>>> LISTEN
>>> > 2444/python
>>> > tcp 0 0 0.0.0.0:22 0.0.0.0:*
>>> LISTEN
>>> > 1221/sshd
>>> > tcp6 0 0 :::22 :::*
>>> LISTEN
>>> > 1221/sshd
>>> >
>>> > root@ip-172-31-16-195:/home/ubuntu# iptables -L -t nat
>>> > Chain PREROUTING (policy ACCEPT)
>>> > target prot opt source destination
>>> >
>>> > Chain INPUT (policy ACCEPT)
>>> > target prot opt source destination
>>> >
>>> > Chain OUTPUT (policy ACCEPT)
>>> > target prot opt source destination
>>> >
>>> > Chain POSTROUTING (policy ACCEPT)
>>> > target prot opt source destination
>>> > >From Remote Client
>>> >
>>> > # Hitting the public IP
>>> > $ curl -vvv http://52.15.105.107/
>>> > * Trying 52.15.105.107...
>>> > * Connected to 52.15.105.107 (127.0.0.1) port 80 (#0)
>>> >> GET / HTTP/1.1
>>> >> Host: 52.15.105.107
>>> >> User-Agent: curl/7.43.0
>>> >> Accept: */*
>>> >>
>>> > < HTTP/1.1 504 Gateway Time-out
>>> > < Server: ScanSafe
>>> > < Mime-Version: 1.0
>>> > < Date: Mon, 21 Nov 2016 05:40:50 GMT
>>> > < Content-Type: text/html
>>> > < Content-Length: 1664
>>> > < X-ScanSafe-Error: ERR_CONNECT_FAIL 110
>>> > < Keep-Alive: 60
>>> > < Via: HTTP/1.1 proxy10829
>>> > _______________________________________________
>>> > Please read the documentation before posting - it's available at:
>>> > http://www.linuxvirtualserver.org/
>>> >
>>> > LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
>>> > Send requests to lvs-users-request@LinuxVirtualServer.org
>>> > or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>>>
>>>
>>>
>>> --
>>> Regards,
>>>
>>> Malcolm Turnbull.
>>>
>>> Loadbalancer.org Ltd.
>>> Phone: +44 (0)330 380 1064
>>> http://www.loadbalancer.org/
>>>
>>> _______________________________________________
>>> Please read the documentation before posting - it's available at:
>>> http://www.linuxvirtualserver.org/
>>>
>>> LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
>>> Send requests to lvs-users-request@LinuxVirtualServer.org
>>> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>>>
>> _______________________________________________
>> Please read the documentation before posting - it's available at:
>> http://www.linuxvirtualserver.org/
>>
>> LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
>> Send requests to lvs-users-request@LinuxVirtualServer.org
>> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>
>
>
> --
> Regards,
>
> Malcolm Turnbull.
>
> Loadbalancer.org Ltd.
> Phone: +44 (0)330 380 1064
> http://www.loadbalancer.org/



--
Regards,

Malcolm Turnbull.

Loadbalancer.org Ltd.
Phone: +44 (0)330 380 1064
http://www.loadbalancer.org/

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users