by Hi folks,
I got a strange Problem with LVS and IPTABLES. We want to
"Load-Balance" LDAP-Requests to our Netware Server. Because I can't
change the network layout and wouldn't change the default-routes on
the netware boxes, i tried the following. I think I must use the
NAT-method with LVS, because otherwise (with DR/Tunneling) I will ran
into the ARP-Problem and I am not able to ran the fix for the
ARP-Problem on Linux-boxes on the Netware-hosts.
---------------- ---------- ----------------
| 172.16.1.176 | eth0 --> | switch | -- | 172.16.1.126 | <-- Nw-Srv1
---------------- ---------- ----------------
Linux box with : |
kernel 2.4.28 |
iptables 1.2.8 | ----------------
lvs with all modules --------- | 172.16.1.127 | <-- Nw-Srv2
----------------
As you can see, all servers are on the subnet in the same
ip-address-range.
My script for starting the whole process looks like:
----------------------------------------------------
LDAP1=172.16.1.126
LDAP2=172.16.1.127
LVSIP=172.16.1.176
# First configure iptables
modprobe iptable_nat
# Flush all the rules in filter and nat tables
iptables --flush
iptables --table nat --flush
# Delete all chains that are not in default filter and nat table
iptables --delete-chain
iptables --table nat --delete-chain
# Allow IP-Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setup iptables
iptables -A POSTROUTING -t nat -s 0.0.0.0/0 -j MASQUERADE -d $LDAP1
iptables -A POSTROUTING -t nat -s 0.0.0.0/0 -j MASQUERADE -d $LDAP2
########
# I also tried :
# iptables -t nat -A POSTROUTING -d $LDAP1 -p tcp --dport 389 -o eth0
\
-j SNAT --to-source $LVSIP
# iptables -t nat -A POSTROUTING -d $LDAP2 -p tcp --dport 389 -o eth0
\
-j SNAT --to-source $LVSIP
########
# Now start the LoadBalancer
ipvsadm -A -t $LVSIP:389 -s wrr
ipvsadm -a -t $LVSIP:389 -r $LDAP1 -m
ipvsadm -a -t $LVSIP:389 -r $LDAP2 -m
The Outputs on the machine looks like :
lvs# ipvsadm -Ln
IP Virtual Server version 1.0.12 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 172.16.1.176:389 wrr
-> 172.16.1.126:389 Masq 1 0 0
-> 172.16.1.127:389 Masq 1 0 0
lvs# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 0.0.0.0.0/12 nwserv1
MASQUERADE all -- 0.0.0.0.0/12 nwserv2
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
lvs# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
The problem is, that the source ip-adresses are not changed by
iptables. On the Netware-Servers the ip-packets arrives with the
source-ip of my test-client. The server sent the answer to this
machine, but this one drops all packets.
Maybe one of you has a good idea ???? Will help a lot ...
Thanks. Norbert.