Iptables – LVS Configuration issue (Using piranha Tool)

ip-routingiptablesload balancinglvstcpip

I have configured LVS on cent os using piranha tool .I am using vip of internal n/w as gateway for real server we have two NIC one having exteranl Ip and other for internal n/w which is on 192.168.3.0/24 network.

But I am not able to connect from client it shows connection refused
error

. Please suggest iptables rules for private n public n/w to communicate. May be I am missing this . Iptables rules that we have added are :

 iptables -t nat -A POSTROUTING -p tcp -s 192.168.3.0/24 --sport 5000 -j MASQUERADE

this is my ipconfig:

eth0      Link encap:Ethernet  HWaddr 00:00:E8:F6:74:DA 
          inet addr:122.166.233.133  Bcast:122.166.233.255  Mask:255.255.255.0
          inet6 addr: fe80::200:e8ff:fef6:74da/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:94433 errors:0 dropped:0 overruns:0 frame:0
          TX packets:130966 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:9469972 (9.0 MiB)  TX bytes:19929308 (19.0 MiB)
          Interrupt:16 Base address:0x2000

eth0:1    Link encap:Ethernet  HWaddr 00:00:E8:F6:74:DA 
          inet addr:122.166.233.136  Bcast:122.166.233.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:16 Base address:0x2000

eth1      Link encap:Ethernet  HWaddr 00:E0:20:14:F9:2D 
          inet addr:192.168.3.1  Bcast:192.168.3.255  Mask:255.255.255.0
          inet6 addr: fe80::2e0:20ff:fe14:f92d/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:123718 errors:0 dropped:0 overruns:0 frame:0
          TX packets:148856 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:18738556 (17.8 MiB)  TX bytes:11697153 (11.1 MiB)
          Interrupt:17 Memory:60000400-600004ff

eth1:1    Link encap:Ethernet  HWaddr 00:E0:20:14:F9:2D 
          inet addr:192.168.3.10  Bcast:192.168.3.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:17 Memory:60000400-600004ff

eth2      Link encap:Ethernet  HWaddr 00:16:76:6E:D1:D2 
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
          Interrupt:21 Base address:0xa500

and ipvsadm -ln command

[root@abts-kk-static-133 ~]# ipvsadm -ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
  -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
TCP  122.166.233.136:5000 wlc
TCP  122.166.233.136:5004 wlc

lvs server routing table
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.3.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
122.166.233.0   0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.122.0   0.0.0.0         255.255.255.0   U     0      0        0 virbr0
169.254.0.0     0.0.0.0         255.255.0.0     U     1003   0        0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     1004   0        0 eth1
0.0.0.0         122.166.233.1   0.0.0.0         UG    0      0        0 eth0

real 1

real 2

we have configured various ports from 5000:5008 .

Do we need to this iptables for all ports?

Suggest me how should I solve this issue.

Best Answer

First, you need to decide what type of LVS you want: NAT, TUN, or DR.

[packet-forwarding-method]

      -g, --gatewaying  Use gatewaying (direct routing). This is the default.

      -i, --ipip  Use ipip encapsulation (tunneling).

      -m, --masquerading  Use masquerading (network access translation, or NAT).

You appear to want NAT so you'll need -m options to ipvsadm for your real servers.

A test piranha config is available here:

http://www.linuxvirtualserver.org/docs/ha/piranha.html

Rather than manually configuring the NAT with your own iptables rule, you let ipvsadm do the NAT for you. Delete your iptables rule, and for that matter, delete the aliased interfaces you specify above ending in :1. That will greatly simplify things and get you on the right track.

Make sure your default gw on your real servers in 192.168.3.1. From the Director, try pinging each of your realservers and also try telnetting to the LVS port(s) which look to be 5000/5004. If all that is working, go back to your client and try telnetting to 5000/5004 on your VIP.

Related Solutions

Linux – Port forward + openVPN + iptables

Try these rules on your gateway:

-A PREROUTING -i $VPN_INTERFACE -p tcp -m tcp --dport 80 -j DNAT --to-destination $INTERNAL_IP_DESTINATION:80
-A POSTROUTING -o $VPN_INTERFACE -j SNAT --to-source $VPN_IP_OF_SERVER
-A POSTROUTING -o $LAN_INTERFACE -j SNAT --to-source $LAN_IP_OF_SERVER

1st. one makes the port forwarding.
2nd. makes the source nat so every packet comming out of the VPN uses the server IP
3rd. makes the packets forwarded to the internal IP, have the soure nat of the server lan ip

Linux – How to configure dual homed server in order for both network segments to communicate

There are two problems with this setup:

The hosts on LAN1 know nothing about the LAN2 segment. When you ping a host on LAN1 (let's call it host1) from SRV-02, the packet will be routed through SRV-01 and will reach host1. However, host1 will send the reply to it's default gateway (ISP router) as it doesn't have a specific route to LAN2. (The ISP router will either a) also send it to it's default gateway as it also doesn't know about LAN2, or b) drop the packet as it comes from an unknown source not it's local LAN.)
When trying to reach WAN from LAN2, the packets will be routed through SRV-02 to ISP router where two situations are possible:
- The router will not NAT translate the packet as the source of the packet (LAN2) is not it's local LAN (this is the more probable situation), or
- The router will NAT translate the packet and send it to the Internet. However, when the reply comes and the destination is translated back to the LAN2 address, the packet will not be delivered as the ISP router doesn't have a route for that network. The packet will be sent incorrectly to the default gateway (ISP).

These issues could be fixed by adding a static route to LAN2 to ISP router and adding a source NAT configuration for LAN2 on SRV-01. However, that is not possible due to no admin access to the ISP router.

There are two solutions that get around it:

A. Make SRV-01 a full router for LAN1 and LAN2 hosts

Add another network adapter to SRV-01 (making it 3 in total)
Change the topology as follows:

WAN -> ISP router -> LAN1 -> SRV-01 +-> LAN3 (for hosts originally in LAN1)
                                    +-> LAN2 -> SRV-02

Basically, we're making SRV-01 a router for both LAN segments.

This will require moving hosts originally in LAN1 to a new subnet LAN3 - let's say we use 10.0.1.0/24
The network configuration of SRV-01 will need to be changed as follows:

/etc/network/interfaces:

# LAN1 - to ISP router
auto eth0
iface eth0 inet dhcp
# we can even use dhcp as the IP address is not really important
# - there are no more hosts on LAN1 apart from ISP router and SRV-01

# LAN3 - for hosts originally in LAN1
iface eth1
    address 10.0.1.1
    netmask 255.255.255.0

# LAN2
iface eth2
    address 10.0.2.1
    netmask 255.255.255.0

iptables rules to make WAN access work:

iptables -t nat -A POSTROUTING -o eth0 -s 10.0.1.0/24 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth0 -s 10.0.2.0/24 -j MASQUERADE

Alternatively, if you choose to keep the static IP address on SRV-01 on eth0 the rules could be changed (although MASQUERADE would still work):

iptables -t nat -A POSTROUTING -o eth0 -s 10.0.1.0/24 -j SNAT --to-source 192.168.5.8
iptables -t nat -A POSTROUTING -o eth0 -s 10.0.2.0/24 -j SNAT --to-source 192.168.5.8

DHCP will need to be configured on SRV-01 on eth1 (LAN3, for hosts originally on LAN1), and possibly on eth2 (LAN2) as well if required. (In both cases the gateway will be the local address of eth1 or eth2 respectively, but that goes without saying :)

This will make communication possible between LAN3 and LAN2 (via SRV-01 which is the default gateway for both). WAN access will also work from both LAN3 and LAN2 thanks to the double source NAT.

B. Make SRV-01 a DHCP server for LAN1

This approach is not as clean as above but is slightly simpler. It assumes you are able to disable DHCP on ISP router

Disable DHCP on ISP router
Set up DHCP for LAN1 on SRV-01 and make SRV-01 (192.168.5.8) the default gateway for LAN1
Set up source NAT translation for LAN2 on SRV-01 so that the WAN access works from LAN2:

iptables -t nat -A POSTROUTING -o eth0 -s 10.0.2.0/24 -d 192.168.5.4 -j SNAT --to-source 192.168.5.8
iptables -t nat -A POSTROUTING -o eth0 -s 10.0.2.0/24 ! -d 192.168.5.0/24 -j SNAT --to-source 192.168.5.8

The first line enables SNAT so that LAN2 hosts can access the ISP router itself and the second line disables SNAT for LAN2-LAN1 access.

Again, this approach is not as clean as the one above as there are two routers in the same subnet (SRV-01, ISP router). When I used this approach myself I noticed my second router (SRV-01 in this scenario) would send ICMP redirects to the ISP router as it would see that the client (host on LAN1) and the upstream router (ISP router) are on the same LAN. This might not be desired as network policies implemented on SRV-01 could be circumvented.

Hope that helps.

Best Answer

Related Solutions

Linux – Port forward + openVPN + iptables

Linux – How to configure dual homed server in order for both network segments to communicate

Related Topic