Hi guys,
I'm not sure where to post for help on this one, shorewall or lvs, I'll
start with shorewall (only cause Tom is a gun at this stuff, and is polite
enough to tell me to bugger off to the LVS list if I'm posting in the wrong
one ;)
I have a single box that is my router/firewall/LVS.
Internet -- eth0 - router/firewall - eth1 --- internal lan
|
eth2 LVS-NAT setup
With LVS setup as LVS-NAT, everything works a treat as in load balancing
from the internet is spread across my 2 servers that are connected to eth2.
LVS seems to handling the NAT/masq just nicely, and plays nice with
shorewall via using fwmark.
BUT, my "realservers" (192.168.1.x connected via eth2) can't access anything
externally say dns lookups, routing mail, whatever, ie anything originating
from the box apart from web traffic which LVS-NAT is handling. (which I
figured is right, but I don't know how to "fix" it so they can).
This is the issue, how can I setup shorewall to allow the "realservers"
access to the internet, if it is shorewall that I should be trying to make
this happen with.
Should I MASQ eth2 in shorewall? Will this then break LVS-NAT doing the masq
on the incoming stuff?
PART B: to all this is maybe changing LVS to DR (direct routing), so that my
machines are connected via eth1 with 202.45.102.x ip's etc, but I can't seem
to see if that will play nice with shorewall, I read something about a patch
needed for connecting tracking (but I thought the fwmark got around all
that), not going here unless I can't get my NAT'd machines to talk
externally :s....
202.45.102.90 is the virtual IP added to eth1 via LVS
*snipped* setup files..
/etc/shorewall/zones
fw firewall
net ipv4
loc ipv4
lvs ipv4
/etc/shorewall/interfaces
net eth0 detect
loc eth1 detect
lvs eth2 detect routeback
/etc/shorewall/policy
lvs net ACCEPT
fw lvs ACCEPT
lvs fw ACCEPT
/etc/shorewall/tcrules
1 0.0.0.0/0 202.45.102.90 tcp 80
/etc/shorewall/rules
ACCEPT all fw:202.45.102.90 tcp 80
My keepalived config is very simple
virtual_server fwmark 1 {
delay_loop 6
lb_algo rr
lb_kind NAT
protocol TCP
real_server 192.168.1.10 80 {
weight 1
TCP_CHECK {
connect_timeout 3
connect_port 80
}
}
real_server 192.168.1.11 80 {
weight 1
TCP_CHECK {
connect_timeout 3
connect_port 80
}
}
}
Other stuff
firewall# ip addr
3: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:40:d0:43:b7:cc brd ff:ff:ff:ff:ff:ff
inet 202.45.103.86/30 brd 202.45.103.87 scope global eth0
4: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:0e:0c:d0:71:bc brd ff:ff:ff:ff:ff:ff
inet 202.45.102.1/25 brd 202.45.102.127 scope global eth1
inet 202.45.102.90/32 scope global eth1
inet 202.45.102.91/32 scope global eth1
inet 202.45.102.92/32 scope global eth1
inet 202.45.102.93/32 scope global eth1
5: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:40:d0:43:b7:cd brd ff:ff:ff:ff:ff:ff
inet 192.168.1.1/24 brd 192.168.1.255 scope global eth2
firewall# ip route
202.45.103.84/30 dev eth0 proto kernel scope link src 202.45.103.86
202.45.102.0/25 dev eth1 proto kernel scope link src 202.45.102.1
192.168.1.0/24 dev eth2 proto kernel scope link src 192.168.1.1
default via 202.45.103.85 dev eth0 proto zebra equalize
Cheers
Adam
-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
