Sorry for the previous email, Here are the missing info and the dump with the used IPs
Hello,
I am facing difficulties with my chain :
client - ipsec - shorewall - openswan - ipvs - Real servers.
It seems that the return packets never arrive to the clients.
Architecture :
client :10.44.0.254
|
|
\
+----+----+
| node A |
| |
+---+-----+
|
|
|
|
|
+------+--------+
| node B |
| shorewall | 4.0.11
| openswan | 2.4.9
| ipvs | VIP: 10.4.0.30
+------X--------+
-/\____
/ \-
-/ \
-/ \
/ \
RealServer1 RealServer2
10.0.3.99 10.0.3.100
/etc/shorewall/hosts :
swan eth0:10.44.0.254
1. the access: client -> 10.4.0.30 is working OK
Done with /etc/shorewall/rules
ACCEPT swan:10.44.0.0/24 fw all
2. The masq for real servers to exit with 10.4.0.30 is OK
Done with /etc/shorewall/masq
eth0::10.44.0.254 10.0.3.99 10.4.0.30 - -
3. The forward from ipvs to real server is OK
when doing a : telnet 10.4.0.30 80
I have the following tcpdump on Node B
10:40:48.682340 IP 10.44.0.254.36701 > 10.0.3.99.webcache:
S1067349055:1067349055(0) win 5840 <mss 1460,sackOK,timestamp2887838843
0,nop,wscale 5>
10:40:48.682479 IP 10.0.3.99.webcache > 10.44.0.254.36701:
S3408723439:3408723439(0) ack 1067349056 win 5792 <mss 1460,sackOK,timestamp
696330234 2887838843,nop,wscale 7>
10:40:51.681631 IP 10.44.0.254.36701 > 10.0.3.99.webcache:
S1067349055:1067349055(0) win 5840 <mss 1460,sackOK,timestamp 2887841843
0,nop,wscale 5>
10:40:51.681748 IP 10.0.3.99.webcache > 10.44.0.254.36701:
S3408723439:3408723439(0) ack 1067349056 win 5792 <mss 1460,sackOK,timestamp
696333233 2887838843,nop,wscale 7>
10:40:52.282769 IP 10.0.3.99.webcache > 10.44.0.254.36701:
S3408723439:3408723439(0) ack 1067349056 win 5792 <mss 1460,sackOK,timestamp
696333834 2887838843,nop,wscale 7>
10:40:58.283227 IP 10.0.3.99.webcache > 10.44.0.254.36701:
S3408723439:3408723439(0) ack 1067349056 win 5792 <mss 1460,sackOK,timestamp
696339834 2887838843,nop,wscale 7>
However the return never arrives to the client. I don't seen any
drop/reject on the firewall. But I don't know what
is missing.
When I bypass the ipvs by a DNAT rules like this one :
DNAT:info swan:10.44.0.254 loc:10.0.3.99:8080
tcp 80 - 10.4.0.30
it works, but I am loosing the loadbalancer ipvs.
I am obviouly missing a rule but I don't know which one. Can someone
help me ?
Thanks
status.txt.gz
Description: Binary data
------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
