Guten tag Michael! :) So, what we have and where is the problem:
We've got LVS-NAT balancer (hostname "lba1a") with two real interfaces and it is running postfix on localhost, let's take example globally-available * VIP* 123.123.123.123 on one of interfaces, here is what we have when iptables is on: [r...@lba1a ~]# telnet 123.123.123.123 25 Trying 123.123.123.123... telnet: connect to address 77.92.229.53: Connection timed out [r...@lba1a ~]# telnet 123.123.123.123 25 Trying 123.123.123.123... Connected to 123.123.123.123. Escape character is '^]'. 220 123.123.123.123 ESMTP test server ^] telnet> Connection closed. [r...@lba1a ~]# telnet 123.123.123.123 25 Trying 123.123.123.123... telnet: connect to address 123.123.123.123: Connection timed out [r...@lba1a ~]# telnet 123.123.123.123 25 Trying 123.123.123.123... this VIP in our case is eth0:1, FC13 x86-64, had same with FC11, FC12 [r...@lba1a ~]# iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 state NEW ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 helper match "ftp" ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3128 state NEW ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:123 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:3636 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:10000 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [r...@lba1a ~]# iptables -L -n -t mangle Chain PREROUTING (policy ACCEPT) target prot opt source destination MARK tcp -- 0.0.0.0/0 123.123.123.123 tcp dpt:21 MARK set 0x15 MARK tcp -- 0.0.0.0/0 123.123.123.123 tcp dpts:1024:65535 MARK set 0x15 Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination [r...@lba1a ~]# iptables -L -n -t nat Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination ACCEPT all -- 10.1.0.0/24 10.1.0.0/24 MASQUERADE all -- 10.1.0.0/24 0.0.0.0/0 Chain OUTPUT (policy ACCEPT) target prot opt source destination [r...@lba1a ~]# ipvsadm --list -n IP Virtual Server version 1.2.1 (size=4096) Prot LocalAddress:Port Scheduler Flags -> RemoteAddress:Port Forward Weight ActiveConn InActConn TCP 123.123.123.123:25 wlc persistent 3600 -> 127.0.0.1:25 Local 50 0 1 TCP 12.123.123.123:80 wlc persistent 3600 -> 10.1.0.3:80 Masq 50 37 319 -> 10.1.0.5:80 Masq 50 39 120 FWM 21 wlc -> 10.1.0.3:21 Masq 10 0 1 -> 10.1.0.5:21 Masq 10 0 0 -> 127.0.0.1:21 Local 10 0 0 We tried with LVS redirect to localhost and without... Postfix is working fine, there must be a problem somewhere at iptables/lvs On Sun, Sep 19, 2010 at 5:37 PM, Michael Schwartzkopff < mi...@schwartzkopff.org> wrote: > On Sunday 19 September 2010 13:56:00 თემური დოღონაძე wrote: > > Hi. > > > > We have cluster with 2 routers and 3 nodes, running webserver on it. > > mailserver is 1st router itself > > Problem is, that we cannot connect to SMTP server via IPVS virtual IP > from > > inside of router in 90% of tries. > > if iptables are down, all goes smooth, we can connect freely. but if it's > > up, its possible to connect though, but 1 times from 20 try or so > > postfix is logging something like: > > > > lost connection after CONNECT from domain.com.local[127.0.0.1] > > > > any suggestions? > > Gamarjoobath, > > Configs? Logs? > > Greetings, > > -- > Dr. Michael Schwartzkopff > Guardinistr. 63 > 81375 München > > Tel: (0163) 172 50 98 > > _______________________________________________ > Please read the documentation before posting - it's available at: > http://www.linuxvirtualserver.org/ > > LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org > Send requests to lvs-users-requ...@linuxvirtualserver.org > or go to http://lists.graemef.net/mailman/listinfo/lvs-users -- Best regards, George Machitidze _______________________________________________ Please read the documentation before posting - it's available at: http://www.linuxvirtualserver.org/ LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org Send requests to lvs-users-requ...@linuxvirtualserver.org or go to http://lists.graemef.net/mailman/listinfo/lvs-users
