|
|
Shorewall + Linux Virtual Server LVS/DR |
 |
 |
 |
Artículo por saaib on
2004-12-03 14:39:45 Fuente: Shorewall Mailing List
Ok,
ask Tom thinks this might be something to archiv to avoid some further questions here is what I did to get Netfilter/Shorewall working on my two LVS Servers.
First of all, this is what I had to get done:
2 to x Mail Relay Servers with identical software setup hosting 5 to x customers in a setup giving those customers 99% availibility. The hardware of the servers might vary from highend HP Proliants down to
older Compaq Proliants. We decided to use LVS (NAT) to get enough scaling capability and a possibility to cluster some reverse proxies.
For some reasons we also placed those systemes within an IP range which is not covered by our firewall cluster.
|
| Internet Backbone
|
---------
| | Official IP's
------ ------
| B | | B |
| 1 | | 2 |
------ ------
| |
---------
|
---------
| | RFC 1918 IP's
------ ------
| R | | R |
| 1 | | 2 |
------ ------
B=Balancer R=Real
The Balancers looks like this
Base:
Fedora Core 2 (modified so that the ISO will
install without any questions and within 10 min.)
(Actually this all is mostly depending on the
kernel used the distribution should not matter much).
Kernel:
Modified 2.6.9 based on Fedora 2.6.9-1.681_FC2.src.rpm
(This should work on any 2.6.9 kernel and there are patches for other 2.6.8, 2.6.5, 2.4.27,2.4.26,2.4.23 too.
I tested this using 2.6.9 so no idea how the
others are behaving)
Patch:
ipvs-nfct-2.6.9-2.diff
and ip_nat_ftp-2.6.9-1.diff
iptables: v1.2.9 (from fedora)
shorewall: 2.0.11
ipvsadm: 1.2.0 (from fedora)
heartbeat: 1.2.3-1 (compiled from src and rpmbuild)
ldirector: 1.2.3-1 (compiled from src and rpmbuild)
heartbeat and ldirectord can be found here:
http://www.linux-ha.org
The patches can be found here:
http://www.ssi.bg/~ja/nfct
Some additional info can be found here:
http://www.ultramonkey.org/
I used the src.rpm to get the patched kernel install as easily as possible on machines which have no development tools installs and would be too slow at all to compile on them. I actually installed the src.rpm, moved the two patches into the SOURCE folder, added the needed Patchx aund %patchx entries and did my rpmbuild -bb -target= .
I installed those kernels on my two balancers, installed the shorewall rpm, heartbeat and ldirectord. Next I modified the needed config files and added following commands into
/etc/shorewall/initdone
/sbin/ipvsadm
echo 1 > /proc/sys/net/ipv4/vs/conntrack
echo 1 > /proc/sys/net/ipv4/vs/snat_reroute
initdone might not be the best place to do it but as it worked I spared my time looking at the shorewall docs for the proper place.
The first command is needed to create the proc entry 'vs' as this is only available after ipvsadm run once . Next you will enable the sync between the LVS contrack and the Netfilter contrack. The last command is
just useful for SNAT and is not directly related to the contract problem. As I have to do SNAT so each server (having a RFC1918 IP) can be accessed by a real IP (without balancing) for maintance.
After done and reboot everything worked incl. shorewall DNAT, SNAT and contracks. (Well, actually it didn't because I used two virtual IP's to do maintance on the real servers NATing them and forgot to set ADD_IP_ALIASES in shorewall.conf to NO. That way I suddenly had both IP's active on both balancers with the expected result)
Some comments:
Doing it without the patch and shorewall:
I got this all working without the patch and shorewall by simply binding all managment ports (like ssh) on the internal interface of each balancer and just keep the SMTP Port on the outside (the virtual IP's actually). Then I used simple DNAT and SNAT iptable entries with s= defining my managment station IP's to access the balancers and the real servers. That way nmap and nessus weren't able to see any other open ports then SMTP. This setup was working because contrack modules weren't needed, but keeping this running with 99% availibility and not everyone doing maintance was following up on the install process we
decided that doing security not by obscurity and keep with shorewall.
State Syncronisation:
LVS provides a way to sync connection states between clustered
balancers. Keep in mind that this works only for LVS. Even the patch
will not sync the Netfilter contrack in case of a resource takeover.
Stabability:
I had a look at the patches and for me they looked fine. Still, this is
an unofficial patch so be aware that it might or not have problems. The
system currently handles 15k connections a day maybe 20k by now. So I
can't say if it is really stable under stress.
Axel
Axel Westerhold wrote:
> Hi everyone,
>
> as this is a rather old thread I will simply say that I got
> Netfilter/Shorewall and LVS (NAT / 2.6.9 Kernel) working for my rather
> basic needs. As this is off topic I will just keep this short. If
> someone should be interested how it worked and what patch I used just
> reply to this thread.
>
> Regards,
>
_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users@lists.shorewall.net
Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm
( Comentar
)
|
|
|
|
|
Todo el contenido de este sitio web a menos que se
haga notar la excepción estáa bajo licencia GPL. Para cualquier
aclaración sobre el contenido de esta licencia, favor de visitar GNU General Public License
Linux es una marca registrada de Linus Torvalds. Cualquier marca registrada que se referencíen en este sitio son propiedad de sus respectivas compañias. |
---|
|