LVS + Netfilter
Cristiano Paris
c.paris@libero.it
Sat, 13 Oct 2001 00:25:10 +0200 (CEST)
Hi everyone,
I'm curious about the interactions between netfilter subsystem and Linux
Virtual Server scheduler.
I've recently setup a Nat-LVS on a gateway. The web cluster is configure
to act as a unique proxy server for clients on the same LAN (i.e. gateway,
clients and proxies are on the same LAN).
The iptables rules on the gateway were :
iptables -A INPUT -d xxx.xxx.xxx.A -p tcp --dport 3128 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports
3128
iptables -t nat -A POSTROUTING -s xxx.xxx.xxx.B -d xxx.xxx.xxx.A -j SNAT
--to-source xxx.xxx.xxx.A
where A ---> gateway and B ---> client. When I try to connect as :
telnet any.host.outside.my.subnet 80
the packet is correctly redirected to one of my proxy server in a round
robin fashion. Anyway, the source address remains the one of the clients,
i.e. suppose C is the proxy, it sees the packet as :
src=A,dst=C:80,syn
What I intended to de was to have the proxy see a packet like :
src=B,dst=C:80,syn
so the packet go back through the gateway and, thanks to the DNAT rules,
get redirected back to the correct client.
Note that I don't want to use multiple addresses as DNAT rule bypassing
LVS because LVS is more reliable : if a server goes down it gets replaced.
Please help me !
Cristiano