iptables: forwarding, masquerading, and high-availability
Bill Hayes
hayes at mail.ru
Wed Sep 8 21:16:23 CEST 2004
I have a problem trying to create a high availability firewall/router setup. Multiple servers on the internal network should be masqueraded to appear as a single server on the external network.
The simplest case that fails for me looks like this...
Configuration: SuSE 9.1 (linux 2.6.5, iptables 1.2.9, heartbeat 1.2.0)
firewall-1: eth0 = 192.168.1.1, eth1 = 10.1.1.1
firewall-2: eth0 = 192.168.1.2, eth1 = 10.1.1.2
+--------+
| server |
+----+---+
|
+---------+---------+
| hub |
+-+---------------+-+
| |
+-----+------+ +------+-----+
| firewall-1 | | firewall-2 |
+-----+------+ +------+-----+
| |
+-+---------------+-+
| hub |
+---------+---------+
|
+---+----+
| router |
+---+----+
|
If I configure my servers to use 192.168.1.1 as their gateway, and tell all my clients that 10.1.1.1 is my server, then everything works as desired.
On to high availability, I configure my servers to use 192.168.1.3 as their gateway, and tell all my clients that 10.1.1.3 is my server. I start heartbeat and soon my firewalls now look like...
firewall-1: eth0 = 192.168.1.1, eth0:1 = 192.168.1.3, eth1 = 10.1.1.1, eth1:1 = 10.1.1.3
firewall-2: eth0 = 192.168.1.2, eth1 = 10.1.1.2
Now, all my outgoing connections are established as before, but all the incoming connections fail with...
SFW2-INext-DROP-DEFLT
instead of succeeding with...
SFW2-FWDext-ACC-REVMASQ
I know that iptables treats virtual interfaces as if they are the underlying physical interface, thus eth1:1 should be eth1, and outgoing connections work, thus I have proof that eth0:1 is eth0, so what is happening? Why are the packets being dropped?
Thanks to anyone that can help,
Bill
wjh [at] sympatico [dot] ca
hayes [at] mail [dot] ru
More information about the netfilter
mailing list