Hello,
I am facing difficulties with my chain :
client - ipsec - shorewall - openswan - ipvs - Real servers.
It seems that the return packets never arrive to the clients.
Architecture :
client :10.44.0.254
|
|
\
+----+----+
| node A |
| |
+---+-----+
|
| tunnel :
10.44.0.254/32 <-> 10.4.0.30/32
|
|
|
+------+--------+
| node B | kernel 2.6.18
| shorewall | v: 4.0.11
| openswa | swan = ipsec zone
| ipvs | VIP: 10.4.0.30:80
+------X--------+
-/ \
/ \-
-/ \
-/ \
/ \
RealServer1 RealServer2
10.0.3.99:8080 10.0.3.100:8080
/etc/shorewall/hosts :
swan eth0:10.44.0.254
1. the access: client -> 10.4.0.30 is working OK
Done with /etc/shorewall/rules
ACCEPT swan:10.44.0.0/24 fw all
2. The masq for real servers to exit with 10.4.0.30 is OK
Done with /etc/shorewall/masq
eth0::10.44.0.254 10.0.3.99 10.4.0.30 - -
3. The forward from ipvs to real server is OK
when doing a : telnet 10.4.0.30 80
I have the following tcpdump on Node B
10:40:48.682340 IP 10.44.0.254.36701 > 10.0.3.99.webcache:
S1067349055:1067349055(0) win 5840 <mss 1460,sackOK,timestamp2887838843
0,nop,wscale 5>
10:40:48.682479 IP 10.0.3.99.webcache > 10.44.0.254.36701:
S3408723439:3408723439(0) ack 1067349056 win 5792 <mss 1460,sackOK,timestamp
696330234 2887838843,nop,wscale 7>
10:40:51.681631 IP 10.44.0.254.36701 > 10.0.3.99.webcache:
S1067349055:1067349055(0) win 5840 <mss 1460,sackOK,timestamp 2887841843
0,nop,wscale 5>
10:40:51.681748 IP 10.0.3.99.webcache > 10.44.0.254.36701:
S3408723439:3408723439(0) ack 1067349056 win 5792 <mss 1460,sackOK,timestamp
696333233 2887838843,nop,wscale 7>
10:40:52.282769 IP 10.0.3.99.webcache > 10.44.0.254.36701:
S3408723439:3408723439(0) ack 1067349056 win 5792 <mss 1460,sackOK,timestamp
696333834 2887838843,nop,wscale 7>
10:40:58.283227 IP 10.0.3.99.webcache > 10.44.0.254.36701:
S3408723439:3408723439(0) ack 1067349056 win 5792 <mss 1460,sackOK,timestamp
696339834 2887838843,nop,wscale 7>
However the return never arrives to the client. I don't seen any
drop/reject on the firewall. But I don't know what
is missing.
When I bypass the ipvs by a DNAT rules like this one :
DNAT:info swan:10.44.0.254 loc:10.0.3.99:8080
tcp 80 - 10.4.0.30
it works, but I am loosing the loadbalancer ipvs.
I am obviouly missing a rule but I don't know which one. Can someone
help me ?
Thanks
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
