Jeff Williams wrote:
> Daniel Hokka Zakrisson wrote:
>> Jeff Williams wrote:
>>
>>> <snip>
>>> On a regular server, assigning 4.3.2.1 as an alias of the loopback
>>> interface allows the server to accept packets for 4.3.2.1 while not
>>> announcing that ip to the rest of the network. However, on the vserver
>>> host, because the host sees the 4.3.2.1 address, all traffic from other
>>> vservers (e.g. the web server) for the ip gets routed directly to the
>>> vserver rather than to the lb.
>>>
>>> I can't see any way around this. The lb sends a packet with mac address
>>> of the vserver host and the address 4.3.2.1. Therefore the host needs to
>>> be aware of the IP. However, once it is aware of the IP, it routes the
>>> traffic from all of the other vservers. Any ideas? I can only think of
>>> playing with iptables rules, but that doesn't seem like fun.
>>>
>> Seems to me like iptables -t nat -A PREROUTING -i ethX -d 4.3.2.1 -j DNAT
>> --to 1.2.3.4 should do the trick...
>>
>>
> Daniel,
>
> I added the rule:
>
> iptables -t nat -A PREROUTING -i eth0 -d 4.3.2.1 -j DNAT --to 1.2.3.5
>
> instead of assigning the 4.3.2.1 on the 1.2.3.5 vserver (1.2.3.5 is the
> mail server), and was also expecting it to work. And from external
> clients this works fine as before, however, now other vservers on the
> same host (i.e. 1.2.3.4) are unable to connect at all. I can't work out
> what is happening, so any help on debugging is appreciated. The
> following information I have:
>
> This is a tcpdump taken on the vserver host while I telnet from 1.2.3.4
> (web) to 4.3.2.1 (virtual mail) port 25:
>
> jupiter:~# tcpdump -i any host 1.2.3.4 -n
> tcpdump: WARNING: Promiscuous mode not supported on the "any" device
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
This could actually be important, use -nvvi eth0 host 4.3.2.1 instead.
> listening on any, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
> 11:17:13.230410 IP 1.2.3.4.33268 > 4.3.2.1.25: S
> 1635195504:1635195504(0) win 5840 <mss 1460,sackOK,timestamp 196473426
> 0,nop,wscale 7>
> 11:17:13.230702 IP 1.2.3.4.33268 > 4.3.2.1.25: S
> 1635195504:1635195504(0) win 5840 <mss 1460,sackOK,timestamp 196473426
> 0,nop,wscale 7>
>
> If I check the iptables hit count for the DNAT rule (using the command
> below), I don't see any additional packets when telneting from 1.2.3.4,
> but I do see the packet count increase when telneting from external hosts.
>
> jupiter:~# iptables -L -v -t nat
> Chain PREROUTING (policy ACCEPT 19107 packets, 959K bytes)
> pkts bytes target prot opt in out source
> destination
> 10 901 DNAT 0 -- eth0 any anywhere
> 4.3.2.1 to:1.2.3.5
>
> On our router I see that the packets are flowing, so the traffic should
> definitely be going out of the vserver host and coming back in via eth0,
> however
>
> router>show ip cache flow | inc 4.3.2.1
> Gi0/0.1 1.2.3.4 Gi0/0.1 4.3.2.1 06 AC62 0019 2
>
>
> So I'm not sure where the packets are going. Anyone got any ideas?
>
> Regards,
> Jeff
So it would seem your load balancer doesn't support doing what you're
doing? Have you tried simply hooking up another machine to the same
network as the hosts and accessing the virtual IP?
-- Daniel Hokka ZakrissonReceived on Fri Aug 31 05:46:19 2007