On Thu, 4 Dec 2008, Dan Brown wrote: >> the tunl device usually has the VIP > > Well I don't use the tunl0 device itself for anything but not having that up > prevents me from having all of my tunl0:X (eg. tunl0:43 for say > 216.94.145.43) aliases running, so I simply assigned it a non-useful IP. > Assigning it the IP of eth0, or some arbitrary private LAN IP appears to > have no effect on the availability of an IP as long as the tunl0 device is > up so that the VIPs on the aliases work as well.
are you saying that you get it to work with an arbitary IP on tunl0 and the VIP on eth0:x? >>> If I block everything except traffic to the server from the >>> director I still get traffic through to the remote server. >> >> I have no idea what this means. > > Ok, so the LVS director runs a check on the following virtual IP setup via > ldirectord.conf via the standard methods. > > # IP Address 216.94.145.43 > virtual=216.94.145.43:80 > real=209.167.162.87:80 gate 1 > real=216.94.137.194:80 ipip 5 > persistent=3600 > service=http > request=".lvs.html" > receive="Test Message" > scheduler=rr > protocol=tcp > checktype=negotiate > > If on the real server getting tunneled traffic I block traffic via > ip(6)tables (on eth0) are you running an ip(6) version of ip_vs()? > to the IP address 216.94.145.43 for ANY IP address, do you mean that you block packets to the VIP from 0/0 on eth0 on the realserver? > but leave the director seeing the real server as up itself, I have no idea what this means > I can still grab content off of the site on 216.94.145.43 do you mean the client can connect via LVS to the VIP on the realserver? > as though the iptables rules didn't > exist. Obviously this shouldn't happen. why not? > It works what's it? I'm giving up here. Please give me a post which explains the problem Joe > with LVS-DR because it's > coming in through eth0 as-is (and lo:X holds the VIP for it). For LVS-TUN > it's coming in encapsulated through eth0 to the appropriate tunl0:X alias so > it doesn't seem appropriate to apply the iptables rules to tunl0. > > In this specific case I figured out a solution for a single IP by simply > dropping the -i eth0 option. However, this would become a mess quickly for > applying blanket rules across several subnets which is why it's been device > specific previously. Should I instead be applying the filters on tunl0 > instead? > > ___________________________________________________ > Dan Brown > [EMAIL PROTECTED] > > > > _______________________________________________ > Please read the documentation before posting - it's available at: > http://www.linuxvirtualserver.org/ > > LinuxVirtualServer.org mailing list - [email protected] > Send requests to [EMAIL PROTECTED] > or go to http://lists.graemef.net/mailman/listinfo/lvs-users > -- Joseph Mack NA3T EME(B,D), FM05lw North Carolina jmack (at) wm7d (dot) net - azimuthal equidistant map generator at http://www.wm7d.net/azproj.shtml Homepage http://www.austintek.com/ It's GNU/Linux! _______________________________________________ Please read the documentation before posting - it's available at: http://www.linuxvirtualserver.org/ LinuxVirtualServer.org mailing list - [email protected] Send requests to [EMAIL PROTECTED] or go to http://lists.graemef.net/mailman/listinfo/lvs-users
