[LARTC] Load Balancer setting for Public Servers

Sureerat P. (EQHO) sureerat.pha@eqho.com
Wed Feb 16 11:16:07 CET 2005 

Hello Nguyen Dinh Nam,

Thank you for your reply. Please you also suggest me how to fix the =
problem. What do you mean is I should not follow nano howto? Kindly =
provide me some clue. Thank you.

Best regards,

Sureerat P.

-----Original Message-----
From: Nguyen Dinh Nam [mailto:64vn@cardvn.net]
Sent: Wednesday, February 16, 2005 5:29 PM
To: Sureerat P. (EQHO)
Cc: lartc@mailman.ds9a.nl
Subject: Re: [LARTC] Load Balancer setting for Public Servers


You are facing the CONNMARK problem! Every people follow nano howto=20
faces CONNMARK problem, no need to read your config :)

Sureerat P. (EQHO) wrote:

> Hello,
> =20
> I have finished setting up the load balancer with IPROUTE ... also=20
> patch the kernel to support DGD and now it's working fine with the=20
> valuable guide at LARTC website, Julian Anastasov, and the kind people =

> in this mailing list. Now I would like to launch a web server and a=20
> ftp server to the public but I'm stuck into a problem and really need=20
> your help.
> =20
> Currently internal users can access internet and loadbalancing feature =

> is working well, but users in external network can't access my=20
> servers. Please someone help investigate my config and suggest me what =

> is wrong or missing. Thank you very much.
> =20
> My network design is like this:
> =20
> +----------+     +----------+     +----------+
> |   ISP1   |     |   ISP3   |     |   ISP3   |
> +----------+     +----------+     +----------+
>      |                |                 |
>      |                |                 |
>      |         +--------------+         |
>      |_________| LoadBalancer |_________|
>                +--------------+
>                       |
>                       |
>                +--------------+
>       _________|   Firewall   |_________
>      |         +--------------+         |
>      |                |                 |
>      |                |                 |
> +----------+     +----------+     +----------+
> |Web Server|     |FTP Server|     |   LAN    |
> +----------+     +----------+     +----------+
> =20
> eth0 - Internal Network
> -----------------------
> IP =3D 10.0.0.1/24
> =20
> eth1 - route to ISP1
> --------------------
> IP =3D 213.244.0.254/24
> GW =3D 213.244.0.1
> =20
> eth2 - route to ISP2
> --------------------
> IP =3D 222.240.0.254/24
> GW =3D 222.240.0.1
> =20
> eth3 - route to ISP3
> --------------------
> IP =3D 201.10.0.254/24
> GW =3D 201.10.0.1
> =20
> Public Server
> -------------
> Web Server =3D 213.244.0.30
> FTP Server =3D 213.244.0.31
> (Firewall  =3D 213.244.0.20)
> =20
> Firewall
> --------
> Interface to LoadBalancer =3D 10.0.0.254
> Interface to Web Server =3D 10.0.0.30
> Interface to FTP Server =3D 10.0.0.31
> =20
> Following is my configuration:
> -----------------------------
> ip address add 10.0.0.1/24 brd + dev eth0
> ip address add 213.244.0.254/24 brd + dev eth1
> ip address add 222.240.0.254/24 brd + dev eth2
> ip address add 201.10.0.254/24 brd + dev eth3
> ip rule add prio 5 table main
> ip route add default via 213.244.0.1 dev eth1 src 213.244.0.254 proto=20
> static table 10
> ip route append prohibit default table 10 metric 1 proto static
> ip route add default via 222.240.0.1 dev eth2 src 222.240.0.254 proto=20
> static table 20
> ip route append prohibit default table 20 metric 1 proto static
> ip route add default via 201.10.0.1 dev eth3 src 201.10.0.254 proto=20
> static table 30
> ip route append prohibit default table 30 metric 1 proto static
> ip rule add prio 10 from 213.244.0.0/24 table 10
> ip rule add prio 20 from 222.240.0.0/24 table 20
> ip rule add prio 30 from 201.10.0.0/24 table  30
> ip rule add prio 40 table 40
> ip route add default table 40 proto static nexthop via 213.244.0.1 dev =

> eth1 weight 1 nexthop via 222.240.0.1 dev eth2 weight 1 nexthop via=20
> 201.10.0.1 dev eth3 weight 1
> iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -j MASQUERADE
> iptables -t filter -N keep_state
> iptables -t filter -A keep_state -m state --state RELATED,ESTABLISHED=20
> -j ACCEPT
> iptables -t filter -A keep_state -j RETURN
> iptables -t nat -N keep_state
> iptables -t nat -A keep_state -m state --state RELATED,ESTABLISHED -j=20
> ACCEPT
> iptables -t nat -A keep_state -j RETURN
> iptables -t nat -A PREROUTING -j keep_state
> iptables -t nat -A POSTROUTING -j keep_state
> iptables -t nat -A OUTPUT -j keep_state
> iptables -t filter -A INPUT -j keep_state
> iptables -t filter -A FORWARD -j keep_state
> iptables -t filter -A OUTPUT -j keep_state
> iptables -t nat -I PREROUTING -d 213.244.0.20 -j DNAT --to 10.0.0.254
> iptables -t nat -I PREROUTING -d 213.244.0.30 -j DNAT --to 10.0.0.30
> iptables -t nat -I PREROUTING -d 213.244.0.31 -j DNAT --to 10.0.0.31
> Best regards,
> =20
> Sureerat P.
> =20

More information about the LARTC mailing list