Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Linux Virtual Server>
  3. Users
[lvs-users] Curl request from linux director to the virtual ip address times out
viktor at bigpurpledot
Aug 8, 2018, 7:40 PM
Post #1 of 5 (651 views)
Permalink
I have a pretty simple setup for 2 real servers getting direct routing from
a linux director.
[image: unnamed.png]
Things work great for clients outside of the network (like from my local
machine), but if I try to make a request (through curl) to the VIP from the
Linux Director machine, I get a timeout & no requests make it to the Real
Server.

Any pointers?

Thank you!
--
Viktor Nonov
Software Engineer
<img src="
https://googledrive.com/host/0B4qfwyJLCrqPWDAwLXpYbmY4OGM/signature_logo.jpg
">

Attached Files:

Re: [lvs-users] Curl request from linux director to the virtual ip address times out [ In reply to ]
ja at ssi
Aug 8, 2018, 10:33 PM
Post #2 of 5 (651 views)
Permalink
Hello,

On Wed, 8 Aug 2018, Viktor Nonov wrote:

> I have a pretty simple setup for 2 real servers getting direct routing from
> a linux director.
> [image: unnamed.png]
> Things work great for clients outside of the network (like from my local
> machine), but if I try to make a request (through curl) to the VIP from the
> Linux Director machine, I get a timeout & no requests make it to the Real
> Server.
>
> Any pointers?

Probably because VIP is used as source IP in director. Try
ip route replace local $VIP dev $DEV proto kernel scope host src $DIP

where VIP is your virtual IP and DIP is your unique IP in director.
Before that you can see the route that is to be replaced with
ip route list table local

Regards

--
Julian Anastasov <ja@ssi.bg>

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
Re: [lvs-users] Curl request from linux director to the virtual ip address times out [ In reply to ]
viktor at bigpurpledot
Aug 16, 2018, 11:47 AM
Post #3 of 5 (647 views)
Permalink
Hello Julian,

Your answer helped me solve the problem:

Since the box has its public facing interface setup with $DIP and an alias
interface for the $VIP I needed to make one more additional setting shown
below.

Replacing the route enabled successfully sending and delivering the SYN
packet to one of the real servers, but the SYN-ACK packet that was received
was considered by the kernel a martian packet since the source IP was $VIP
(assigned to the director's local interface) and destination IP - the $DIP.
This was solved by setting accept_local to 1:
sysctl -w net.ipv4.conf.all.accept_local=1

So in summary:
ip route replace local $VIP dev $DEV proto kernel scope host src $DIP
sysctl -w net.ipv4.conf.all.accept_local=1

Not sure if setting accept_local to 1 will lead to other problems, but
everything works okay for now.

Thanks for you help,
Viktor

On Wed, Aug 8, 2018 at 10:33 PM Julian Anastasov <ja@ssi.bg> wrote:

>
> Hello,
>
> On Wed, 8 Aug 2018, Viktor Nonov wrote:
>
> > I have a pretty simple setup for 2 real servers getting direct routing
> from
> > a linux director.
> > [image: unnamed.png]
> > Things work great for clients outside of the network (like from my local
> > machine), but if I try to make a request (through curl) to the VIP from
> the
> > Linux Director machine, I get a timeout & no requests make it to the Real
> > Server.
> >
> > Any pointers?
>
> Probably because VIP is used as source IP in director. Try
> ip route replace local $VIP dev $DEV proto kernel scope host src $DIP
>
> where VIP is your virtual IP and DIP is your unique IP in director.
> Before that you can see the route that is to be replaced with
> ip route list table local
>
> Regards
>
> --
> Julian Anastasov <ja@ssi.bg>
>
--
Viktor Nonov
Software Engineer
<img src="
https://googledrive.com/host/0B4qfwyJLCrqPWDAwLXpYbmY4OGM/signature_logo.jpg
">
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
Re: [lvs-users] Curl request from linux director to the virtual ip address times out [ In reply to ]
csgv1145 at zycada
Aug 16, 2018, 12:09 PM
Post #4 of 5 (647 views)
Permalink
On 08/16/2018 11:47 AM, Viktor Nonov wrote:
> Replacing the route enabled successfully sending and delivering the SYN
> packet to one of the real servers, but the SYN-ACK packet that was received
> was considered by the kernel a martian packet since the source IP was $VIP
> (assigned to the director's local interface) and destination IP - the $DIP.
> This was solved by setting accept_local to 1:
> sysctl -w net.ipv4.conf.all.accept_local=1
>
> ....
> Not sure if setting accept_local to 1 will lead to other problems, but
> everything works okay for now.

I've been arguing with myself over the risk of setting accept_local to
1. Our operations staff would really like to be able to test connections
while ssh'd into the director, but the idea that Bad Guys could forge my
own IPs makes me uncomfortable. Does anyone have field experience with
this that they can share?

<csg>

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
Re: [lvs-users] Curl request from linux director to the virtual ip address times out [ In reply to ]
ja at ssi
Aug 16, 2018, 12:50 PM
Post #5 of 5 (647 views)
Permalink
Hello,

On Thu, 16 Aug 2018, Viktor Nonov wrote:

> Hello Julian,
>
> Your answer helped me solve the problem:
>
> Since the box has its public facing interface setup with $DIP and an alias
> interface for the $VIP I needed to make one more additional setting shown
> below.
>
> Replacing the route enabled successfully sending and delivering the SYN
> packet to one of the real servers, but the SYN-ACK packet that was received
> was considered by the kernel a martian packet since the source IP was $VIP
> (assigned to the director's local interface) and destination IP - the $DIP.
> This was solved by setting accept_local to 1:
> sysctl -w net.ipv4.conf.all.accept_local=1

Yes, I forgot about that requirement.

> So in summary:
> ip route replace local $VIP dev $DEV proto kernel scope host src $DIP
> sysctl -w net.ipv4.conf.all.accept_local=1
>
> Not sure if setting accept_local to 1 will lead to other problems, but
> everything works okay for now.

The danger is for services like echo/7/udp (see /etc/services)
but anyways, such spoofing should be prevented in the uplink
router by dropping packets with saddr that matches your public
subnet and coming from external interface. If not possible,
all your machines on the LAN with public IP should have MAC
rules to filter such traffic when coming from router's MAC.
Still, if the router has IP from your subnet (that you use as
DEF GW IP) it should be allowed, at least for ARP traffic.

Regards

--
Julian Anastasov <ja@ssi.bg>

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal