[PROB]: TP (iptables REDIRECT) on port 80, lvs, and squid
Ian C. Sison
Thu, 17 Jan 2002 23:40:57 +0800 (PHT)
On Thu, 17 Jan 2002, Joseph Mack wrote:
> "Ian C. Sison" wrote:
> OK I don't really know what I'm doing here. I'll make
> some guesses and hopefully I don't
> lead you too far astray. Maybe someone else can fix you up.
> > >> LVS is configured as the default route of a terminal server.
> > >> Naturally, LVS should implement transparent proxying via:
> do you know that transparent proxy for 2.4 kernels is different
> to TP for 2.2 kernels and the 2.4TP is incompatible with LVS?
> (It still works for squids, the main target TP, but they removed
> the functionality we needed). If you want the gory details start at
I read that but it offered no workaround in this case. Anyone here care
to offer a workaround?
> I'm not sure that the director needs TP anyhow to forward packets
> for squids. I think you just need regular forwarding. For a start
> you can just setup a regular port 80 forwarding LVS using rr.
> You can change to dh once you have it running. I expect the squids just
> look like regular port 80 realservers, except they answer to all IPs.
Methinks the scheduling algorithm has little bearing, because really, for
some reason, packets are not communicated properly to the RealServers no
matter the scheduling i use (even rr)
> >---- ipvsadm ------------------------------------
> > -A -f 3 -s dh
> > -a -f 3 -r 192.168.254.1:80 -g -w 1
> > -a -f 3 -r 192.168.254.2:80 -g -w 1
> > -a -f 3 -r 192.168.254.3:80 -g -w 1
> > -a -f 3 -r 192.168.254.4:80 -g -w 1
> > -A -t 220.127.116.11:80 -s dh
> > -a -t 18.104.22.168:80 -r 192.168.254.1:80 -g -w 1
> > -a -t 22.214.171.124:80 -r 192.168.254.2:80 -g -w 1
> > -a -t 126.96.36.199:80 -r 192.168.254.3:80 -g -w 1
> > -a -t 188.8.131.52:80 -r 192.168.254.4:80 -g -w 1
> > ---- ipvsadm ------------------------------------
> I can't see that the last 5 lines are getting you anything.
> You have already marked all packets to port 80 arriving
> on the director - these marked packets will be intercepted
> by the first rule.
Yup, i know that. It's a sign of desperation \8(
And despite these two overlapping rules, the packets still do not get
> > And true enough, if i:
> > telnet SQUID1 80, i get the response of the squid server.
> > telnet LVS 80, i get the response of one of the squid servers.
> > However if i pass a packet through LVS from another box who's default
> > gateway is the LVS box, i get a:
> > IPVS connection entries
> > pro expire state source virtual destination
> > TCP 00:57.49 SYN_RECV 184.108.40.206:32782 220.127.116.11:80 192.168.254.1:80
> > and it just stops there, at SYN_RECV.
> no idea why telnet goes and the other client doesn't. sorry
Oh my.. Anyone else on the list who could help me. Getting pretty