From: Nguyen Dinh Nam <64vn@cardvn.net>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] Load Balancer setting for Public Servers
Date: Wed, 16 Feb 2005 10:28:57 +0000 [thread overview]
Message-ID: <42132069.4070806@cardvn.net> (raw)
In-Reply-To: <FHEJLKKJFOAHALHJLCJEMEKECDAA.sureerat.pha@eqho.com>
You are facing the CONNMARK problem! Every people follow nano howto
faces CONNMARK problem, no need to read your config :)
Sureerat P. (EQHO) wrote:
> Hello,
>
> I have finished setting up the load balancer with IPROUTE ... also
> patch the kernel to support DGD and now it's working fine with the
> valuable guide at LARTC website, Julian Anastasov, and the kind people
> in this mailing list. Now I would like to launch a web server and a
> ftp server to the public but I'm stuck into a problem and really need
> your help.
>
> Currently internal users can access internet and loadbalancing feature
> is working well, but users in external network can't access my
> servers. Please someone help investigate my config and suggest me what
> is wrong or missing. Thank you very much.
>
> My network design is like this:
>
> +----------+ +----------+ +----------+
> | ISP1 | | ISP3 | | ISP3 |
> +----------+ +----------+ +----------+
> | | |
> | | |
> | +--------------+ |
> |_________| LoadBalancer |_________|
> +--------------+
> |
> |
> +--------------+
> _________| Firewall |_________
> | +--------------+ |
> | | |
> | | |
> +----------+ +----------+ +----------+
> |Web Server| |FTP Server| | LAN |
> +----------+ +----------+ +----------+
>
> eth0 - Internal Network
> -----------------------
> IP = 10.0.0.1/24
>
> eth1 - route to ISP1
> --------------------
> IP = 213.244.0.254/24
> GW = 213.244.0.1
>
> eth2 - route to ISP2
> --------------------
> IP = 222.240.0.254/24
> GW = 222.240.0.1
>
> eth3 - route to ISP3
> --------------------
> IP = 201.10.0.254/24
> GW = 201.10.0.1
>
> Public Server
> -------------
> Web Server = 213.244.0.30
> FTP Server = 213.244.0.31
> (Firewall = 213.244.0.20)
>
> Firewall
> --------
> Interface to LoadBalancer = 10.0.0.254
> Interface to Web Server = 10.0.0.30
> Interface to FTP Server = 10.0.0.31
>
> Following is my configuration:
> -----------------------------
> ip address add 10.0.0.1/24 brd + dev eth0
> ip address add 213.244.0.254/24 brd + dev eth1
> ip address add 222.240.0.254/24 brd + dev eth2
> ip address add 201.10.0.254/24 brd + dev eth3
> ip rule add prio 5 table main
> ip route add default via 213.244.0.1 dev eth1 src 213.244.0.254 proto
> static table 10
> ip route append prohibit default table 10 metric 1 proto static
> ip route add default via 222.240.0.1 dev eth2 src 222.240.0.254 proto
> static table 20
> ip route append prohibit default table 20 metric 1 proto static
> ip route add default via 201.10.0.1 dev eth3 src 201.10.0.254 proto
> static table 30
> ip route append prohibit default table 30 metric 1 proto static
> ip rule add prio 10 from 213.244.0.0/24 table 10
> ip rule add prio 20 from 222.240.0.0/24 table 20
> ip rule add prio 30 from 201.10.0.0/24 table 30
> ip rule add prio 40 table 40
> ip route add default table 40 proto static nexthop via 213.244.0.1 dev
> eth1 weight 1 nexthop via 222.240.0.1 dev eth2 weight 1 nexthop via
> 201.10.0.1 dev eth3 weight 1
> iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -j MASQUERADE
> iptables -t filter -N keep_state
> iptables -t filter -A keep_state -m state --state RELATED,ESTABLISHED
> -j ACCEPT
> iptables -t filter -A keep_state -j RETURN
> iptables -t nat -N keep_state
> iptables -t nat -A keep_state -m state --state RELATED,ESTABLISHED -j
> ACCEPT
> iptables -t nat -A keep_state -j RETURN
> iptables -t nat -A PREROUTING -j keep_state
> iptables -t nat -A POSTROUTING -j keep_state
> iptables -t nat -A OUTPUT -j keep_state
> iptables -t filter -A INPUT -j keep_state
> iptables -t filter -A FORWARD -j keep_state
> iptables -t filter -A OUTPUT -j keep_state
> iptables -t nat -I PREROUTING -d 213.244.0.20 -j DNAT --to 10.0.0.254
> iptables -t nat -I PREROUTING -d 213.244.0.30 -j DNAT --to 10.0.0.30
> iptables -t nat -I PREROUTING -d 213.244.0.31 -j DNAT --to 10.0.0.31
> Best regards,
>
> Sureerat P.
>
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
next prev parent reply other threads:[~2005-02-16 10:28 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-02-16 3:34 [LARTC] Load Balancer setting for Public Servers Sureerat P. (EQHO)
2005-02-16 10:28 ` Nguyen Dinh Nam [this message]
2005-02-16 11:16 ` Sureerat P. (EQHO)
2005-02-16 12:28 ` Tóth Nándor
2005-02-16 15:44 ` Nguyen Dinh Nam
2005-02-17 0:17 ` Julian Anastasov
2005-02-17 7:28 ` Sureerat P. (EQHO)
2005-02-17 10:29 ` Nguyen Dinh Nam
2005-02-17 11:44 ` Julian Anastasov
2005-02-17 13:14 ` Sureerat P. (EQHO)
2005-02-18 7:14 ` Julian Anastasov
2005-02-18 7:47 ` Sureerat P. (EQHO)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=42132069.4070806@cardvn.net \
--to=64vn@cardvn.net \
--cc=lartc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.