What if we used routing tables to route all NEW (not related, not established) outbound connections to the public/VIPs via the 192.168.1.1 gateway (eg: non-LVS net for round-trip access to the front end of the LVS director), and use iptables to reply to all RELATED/ESTABLISHED connections on the interface by which they arrived?
I'm not great at iptables/iproute2, can someone comment on these rules or tell me if I've missed something: InternalNet IP: 192.168.1.104 LVS-NAT IP: 192.168.2.104 Network/Default Route: 192.168.2.100 (LVS Director) ifcfg ip routes: default table InternalNet via 192.168.1.1 default table main via 192.168.2.100 # implied default route - maybe don't need this 123.123.123.64/26 via 192.168.1.1 dev eth1 # send public/LVS requests out the InternalNet gateway to the front end of the LVS directory, let iptables fixup replies on the correct interface ifcfg ip rules: from 192.168.1.104 table InternalNet from 192.168.2.104 table main #implied rule - maybe don't need this fwmark 1 lookup InternalNet fwmark 2 lookup main iptables: -A OUTPUT -m state --state ESTABLISHED,RELATED -j CONNMARK --restore-mark -A PREROUTING -d 192.168.1.104 -m state --state NEW -j CONNMARK --set-mark 1 -A PREROUTING -d 192.168.2.104 -m state --state NEW -j CONNMARK --set-mark 2 Does this make sense? Best, james On Fri, Nov 27, 2009 at 4:15 AM, Simon Horman <[email protected]> wrote: > Here is my thinking: > > 1) The LVS-NATed connections will have the source IP address of > the machine that made the request. Though in this case > it will be the IP address of 192.168.1.1 in the live range. > 2) The live range is routed via 192.168.1.1, not the linux-director. > So return packets from the real-server will go to the wrong place. _______________________________________________ Please read the documentation before posting - it's available at: http://www.linuxvirtualserver.org/ LinuxVirtualServer.org mailing list - [email protected] Send requests to [email protected] or go to http://lists.graemef.net/mailman/listinfo/lvs-users
