• Inicio
  • Sobre el Sitio
  • Eventos
  • Galería
  • Regístrate
  • Publicar Artículo
  • Curriculas
  • Revisiones
  • Material Educativo
  • Lista de Correo
     
    Buscar por:



    Sobre el Sitio
    Bienvenidos al sitio web del Grupo de Usuarios Linux de Ensenada (ELUG) !

    Este sitio web tiene como intención proveer un área donde se publique información relacionada al mundo de Linux, Código Abierto y demás temas que puedan caber ! ;) (Para eso estan los off-topics!)

    Si deseas participar, deberás crear una cuenta para poder publicar artículos y/o comentarios.

    El principal método de comunicación del ELUG es la Lista de Correo del ELUG

    Por favor sean amables y eviten malas actitudes , gracias de antemano ! :)

    Diviertanse y ayudenos a mantener al día el sitio con información !

    Saludos !


    Este sitio web es orgullosamente patrocinado por CiberLinux Networking
  • Subscribe to MAKE and save!

    Shorewall + Linux Virtual Server LVS/DR
    General Artículo por saaib on 2004-12-03 14:39:45 Fuente: Shorewall Mailing List
    Ok,

    ask Tom thinks this might be something to archiv to avoid some further questions here is what I did to get Netfilter/Shorewall working on my two LVS Servers.

    First of all, this is what I had to get done:

    2 to x Mail Relay Servers with identical software setup hosting 5 to x customers in a setup giving those customers 99% availibility. The hardware of the servers might vary from highend HP Proliants down to
    older Compaq Proliants. We decided to use LVS (NAT) to get enough scaling capability and a possibility to cluster some reverse proxies.
    For some reasons we also placed those systemes within an IP range which is not covered by our firewall cluster.

    |
    | Internet Backbone
    |
    ---------
    | | Official IP's
    ------ ------
    | B | | B |
    | 1 | | 2 |
    ------ ------
    | |
    ---------
    |
    ---------
    | | RFC 1918 IP's
    ------ ------
    | R | | R |
    | 1 | | 2 |
    ------ ------

    B=Balancer R=Real

    The Balancers looks like this

    Base:
    Fedora Core 2 (modified so that the ISO will
    install without any questions and within 10 min.)
    (Actually this all is mostly depending on the
    kernel used the distribution should not matter much).

    Kernel:
    Modified 2.6.9 based on Fedora 2.6.9-1.681_FC2.src.rpm
    (This should work on any 2.6.9 kernel and there are patches for other 2.6.8, 2.6.5, 2.4.27,2.4.26,2.4.23 too.

    I tested this using 2.6.9 so no idea how the
    others are behaving)

    Patch:
    ipvs-nfct-2.6.9-2.diff

    and ip_nat_ftp-2.6.9-1.diff

    iptables: v1.2.9 (from fedora)
    shorewall: 2.0.11
    ipvsadm: 1.2.0 (from fedora)
    heartbeat: 1.2.3-1 (compiled from src and rpmbuild)
    ldirector: 1.2.3-1 (compiled from src and rpmbuild)

    heartbeat and ldirectord can be found here:
    http://www.linux-ha.org

    The patches can be found here:
    http://www.ssi.bg/~ja/nfct

    Some additional info can be found here:
    http://www.ultramonkey.org/

    I used the src.rpm to get the patched kernel install as easily as possible on machines which have no development tools installs and would be too slow at all to compile on them. I actually installed the src.rpm, moved the two patches into the SOURCE folder, added the needed Patchx aund %patchx entries and did my rpmbuild -bb -target= .

    I installed those kernels on my two balancers, installed the shorewall rpm, heartbeat and ldirectord. Next I modified the needed config files and added following commands into

    /etc/shorewall/initdone

    /sbin/ipvsadm
    echo 1 > /proc/sys/net/ipv4/vs/conntrack
    echo 1 > /proc/sys/net/ipv4/vs/snat_reroute

    initdone might not be the best place to do it but as it worked I spared my time looking at the shorewall docs for the proper place.

    The first command is needed to create the proc entry 'vs' as this is only available after ipvsadm run once . Next you will enable the sync between the LVS contrack and the Netfilter contrack. The last command is
    just useful for SNAT and is not directly related to the contract problem. As I have to do SNAT so each server (having a RFC1918 IP) can be accessed by a real IP (without balancing) for maintance.

    After done and reboot everything worked incl. shorewall DNAT, SNAT and contracks. (Well, actually it didn't because I used two virtual IP's to do maintance on the real servers NATing them and forgot to set ADD_IP_ALIASES in shorewall.conf to NO. That way I suddenly had both IP's active on both balancers with the expected result)

    Some comments:

    Doing it without the patch and shorewall:

    I got this all working without the patch and shorewall by simply binding all managment ports (like ssh) on the internal interface of each balancer and just keep the SMTP Port on the outside (the virtual IP's actually). Then I used simple DNAT and SNAT iptable entries with s= defining my managment station IP's to access the balancers and the real servers. That way nmap and nessus weren't able to see any other open ports then SMTP. This setup was working because contrack modules weren't needed, but keeping this running with 99% availibility and not everyone doing maintance was following up on the install process we
    decided that doing security not by obscurity and keep with shorewall.

    State Syncronisation:

    LVS provides a way to sync connection states between clustered
    balancers. Keep in mind that this works only for LVS. Even the patch
    will not sync the Netfilter contrack in case of a resource takeover.

    Stabability:

    I had a look at the patches and for me they looked fine. Still, this is
    an unofficial patch so be aware that it might or not have problems. The
    system currently handles 15k connections a day maybe 20k by now. So I
    can't say if it is really stable under stress.


    Axel


    Axel Westerhold wrote:

    > Hi everyone,
    >
    > as this is a rather old thread I will simply say that I got
    > Netfilter/Shorewall and LVS (NAT / 2.6.9 Kernel) working for my rather
    > basic needs. As this is off topic I will just keep this short. If
    > someone should be interested how it worked and what patch I used just
    > reply to this thread.
    >
    > Regards,
    >

    _______________________________________________
    Shorewall-users mailing list
    Post: Shorewall-users@lists.shorewall.net
    Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users
    Support: http://www.shorewall.net/support.htm
    FAQ: http://www.shorewall.net/FAQ.htm



    ( Comentar )


     

    Encuestas

    Ligas Relacionadas
  • Artículos en General
  • Artículos por saaib

  • Accesar
    Usuario :
    Clave :
    Olvidé mi clave

    Tópicos Disponibles

    Últimos Artículos
  • Student Submissions for GSoC (0) por saaib
  • Why (and How) to Root Your Android Phone (0) por saaib
  • Visita Senado de República R. Stallman (0) por fermin
  • Software Freedom Day en Tijuana (2) por jaranda
  • Pirateadas (0) por jaranda
  • Como "pegar" archivos PDF (2) por jaranda
  • Microsoft stuns Linux world (0) por jaranda
  • De mascotas y EULAs ...... (0) por jmlopezv
  • Talleres a impartir en el X Aniversario (0) por Shilon
  • The Git Community Book (0) por jaranda
  • Ubuntu GNU/Linux en una MacBook Pro (0) por jaranda
  • Tech Talk: Linus Torvalds on git (1) por jaranda
  • Nuevo foro de discusión (5) por jaranda
  • OpenGL 3 & DirectX 11: The War Is Over (2) por saaib
  • Freedom Fry - "Happy birthday to GNU" (0) por saaib
  • Linus se enojo! :D (0) por jaranda
  • RedHat Perl, what a tragedy (0) por saaib
  • The 7 dirtiest jobs in IT (0) por saaib
  • 5 razones para evitar el iPhone (0) por saaib
  • Google C++ Testing Framework (0) por saaib

  •   
    Todo el contenido de este sitio web a menos que se haga notar la excepción estáa bajo licencia GPL.
    Para cualquier aclaración sobre el contenido de esta licencia, favor de visitar GNU General Public License

    Linux es una marca registrada de Linus Torvalds. Cualquier marca registrada que se referencíen en este sitio son propiedad de sus respectivas compañias.