For the LVS NAT to work you should not add any rules for the VIP in the PRE og POSTROUTING chains, ipvs does this on its own transparently. The rules add in the test setup is for management of the nodes behind the LVS. The rules in the INPUT chains is for the VIP.
iptables nat rules
# Generated by iptables-save v1.4.4 on Wed Feb 17 17:33:46 2010
*nat
:PREROUTING ACCEPT [1717:278248]
:POSTROUTING ACCEPT [1000:68909]
:OUTPUT ACCEPT [1000:68909]
-A PREROUTING -d 10.x.x.x/32 -i eth0 -m state --state NEW -j DNAT --to-destination 10.z.z.z
-A PREROUTING -d 10.x.x.y/32 -i eth0 -m state --state NEW -j DNAT --to-destination 10.z.z.v
-A POSTROUTING -s 10.z.z.z/32 -o eth0 -j SNAT --to-source 10.x.x.x
-A POSTROUTING -s 10.z.z.v/32 -o eth0 -j SNAT --to-source 10.x.x.y
COMMIT
# Completed on Wed Feb 17 17:33:46 2010
# Generated by iptables-save v1.4.4 on Wed Feb 17 17:33:46 2010
*filter
:INPUT ACCEPT [4479:1328198]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4396:360856]
-A INPUT -d 10.x.x.VIP/32 -i eth0 -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -d 10.x.x.VIP/32 -i eth0 -p icmp -j ACCEPT
-A INPUT -d 10.x.x.VIP/32 -i eth0 -j DROP
COMMIT
# Completed on Wed Feb 17 17:33:46 2010
remember the ip4_forward
echo "1" > /proc/sys/net/ipv4/ip_forward
nat wont work without it
keepalived.conf
vrrp_instance VIP_MXP {
state MASTER
interface eth1
priority 250 authentication { auth_type PASS auth_pass verysecretpassword
} virtual_router_id 200 virtual_ipaddress { 10.z.z.BVIP/18 dev eth1 # back default gw 10.x.x.VIP/20 dev eth0 # front vip 10.x.x.x/20 dev eth0 # front node1 10.x.x.y/20 dev eth0 # front node2
} preempt_delay 300 garp_master_delay 5
}
Sorry forgot configuration
ips has been changed, but should be consistent
For the LVS NAT to work you should not add any rules for the VIP in the PRE og POSTROUTING chains, ipvs does this on its own transparently. The rules add in the test setup is for management of the nodes behind the LVS. The rules in the INPUT chains is for the VIP.
iptables nat rules
# Generated by iptables-save v1.4.4 on Wed Feb 17 17:33:46 2010
*nat
:PREROUTING ACCEPT [1717:278248]
:POSTROUTING ACCEPT [1000:68909]
:OUTPUT ACCEPT [1000:68909]
-A PREROUTING -d 10.x.x.x/32 -i eth0 -m state --state NEW -j DNAT --to-destination 10.z.z.z
-A PREROUTING -d 10.x.x.y/32 -i eth0 -m state --state NEW -j DNAT --to-destination 10.z.z.v
-A POSTROUTING -s 10.z.z.z/32 -o eth0 -j SNAT --to-source 10.x.x.x
-A POSTROUTING -s 10.z.z.v/32 -o eth0 -j SNAT --to-source 10.x.x.y
COMMIT
# Completed on Wed Feb 17 17:33:46 2010
# Generated by iptables-save v1.4.4 on Wed Feb 17 17:33:46 2010
*filter
:INPUT ACCEPT [4479:1328198]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4396:360856]
-A INPUT -d 10.x.x.VIP/32 -i eth0 -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -d 10.x.x.VIP/32 -i eth0 -p icmp -j ACCEPT
-A INPUT -d 10.x.x.VIP/32 -i eth0 -j DROP
COMMIT
# Completed on Wed Feb 17 17:33:46 2010
remember the ip4_forward
echo "1" > /proc/sys/ net/ipv4/ ip_forward
nat wont work without it
keepalived.conf
vrrp_instance VIP_MXP {
authentication {
auth_ type PASS
auth_ pass verysecretpassword
virtual_ router_ id 200
virtual_ ipaddress {
10.z. z.BVIP/ 18 dev eth1 # back default gw
10.x. x.VIP/20 dev eth0 # front vip
10.x. x.x/20 dev eth0 # front node1
10.x. x.y/20 dev eth0 # front node2
preempt_ delay 300
garp_master_ delay 5
state MASTER
interface eth1
priority 250
}
}
}
virtual_server 10.x.x.VIP 25 { _timeout 3600 _granularity 255.255.240.0
connect_ timeout 10
retry 3
delay_ before_ retry 1
connect_ timeout 10
retry 3
delay_ before_ retry 1
delay_loop 60
lb_algo wrr
lb_kind NAT
persistence
persistence
protocol TCP
real_server 10.z.z.z 25 { #node 1
weight 100
SMTP_CHECK {
}
}
real_server 10.z.z.v 25 { #node 2
weight 100
SMTP_CHECK {
}
}
}