Red Hat Bugzilla – Bug 9033
ipvsadm doesn't work with masquerading.
Last modified: 2008-05-01 11:37:54 EDT
I set up a virtual server using ipvsadm, with the 'masq' parm. I also set
up a 'forward' chain to masquerade the packets going through the virtual
server. The packets don't get masqueraded. Part of the setup included:
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/ip_always_defrag
Also, /etc/sysconfig/network is...
[root@hcom1 sysconfig]# ipvsadm
IP Virtual Server version 0.8.3 (size=4096)
Protocol LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 172.17.206.209:1023 wlc
-> 10.1.51.152:1350 Masq 2 0 0
My ipchains are...
[root@hcom1 sysconfig]# ipchains -L forward
Chain forward (policy ACCEPT):
target prot opt source destination ports
MASQ tcp ------ 172.17.206.0/24 anywhere
1024:65535 -> any
MASQ udp ------ 172.17.206.0/24 anywhere
1024:65535 -> any
My internet client's ip is 172.17.206.91, and it connects to
172.17.206.209:1023 (s-172.17.206.91 d-172.17.206.209:1023).
When the packet is forwarded and arrives at my 'real' server the source
address in the packet STILL IS 172.17.206.91 (s-172.17.206.91
d-10.1.51.152:1350). The virtual server correctly forwarded the packet but
didn't masquerade it!
I had to cancel a DEMO of Red Hat Linux Virtual Server with my company.
This doesn't look good. Will you make this a high priority?
Thanks for your help!
*** Bug 9032 has been marked as a duplicate of this bug. ***
What I need is the capability to masquerade the source address of a packet
destined for a real server, using ipchains. The problem is that any inbound
packets from a client to real servers are bypassing the FORWARD chain, going
from the INPUT chain to LVS to the OUTPUT chain. Masquerading the source
address of the packet, as well as the destination packet (done by LVS) is what
I have exchanged email with custmoer on several occassions. He also has
subscribed to the LVS mailing list and now has a greater understanding of LVS
and MASQ than when this problem was first logged.
Customer has agreed that this bug report can be closed.
Here is the last email exchange:
> MASQ works for me from an 'inside-to-outside network' perspective. That's
> because traffic from real servers to the outside go through the 'forward'
> chain of ipchains, while traffic from the outside to real servers doesn't.
> I've learned allot during this experiment. Thanks for your feedback.
> Go ahead and close the bug report. Thanks.
> Bobby Moore Worldspan
> Phone: 770.563.7362 Fax: 770.563.6406