Hello,
I have
finished setting up the load balancer with IPROUTE ... also patch the kernel to
support DGD and now it's working fine with the valuable guide at LARTC website,
Julian Anastasov, and the kind people in this mailing list. Now I would like to
launch a web server and a ftp server to the public but I'm stuck into a problem
and really need your help.
Currently
internal users can access internet and loadbalancing feature is working well,
but users in external network can't access my servers. Please someone help
investigate my config and suggest me what is wrong or missing. Thank you very
much.
My network
design is like this:
+----------+ +----------+ +----------+
| ISP1 |
| ISP3
| |
ISP3 |
+----------+ +----------+ +----------+
| |
|
| |
|
| +--------------+
|
|_________| LoadBalancer
|_________|
+--------------+
|
|
+--------------+
_________| Firewall
|_________
| +--------------+
|
|
|
|
|
|
|
+----------+ +----------+ +----------+
|Web
Server| |FTP
Server| | LAN
|
+----------+ +----------+ +----------+
eth0 - Internal
Network
-----------------------
IP =
10.0.0.1/24
eth1 - route to
ISP1
--------------------
IP =
213.244.0.254/24
GW =
213.244.0.1
eth2 - route to
ISP2
--------------------
IP =
222.240.0.254/24
GW =
222.240.0.1
eth3 - route to
ISP3
--------------------
IP =
201.10.0.254/24
GW =
201.10.0.1
Public Server
-------------
Web Server =
213.244.0.30
FTP Server =
213.244.0.31
(Firewall =
213.244.0.20)
Firewall
--------
Interface to LoadBalancer =
10.0.0.254
Interface to Web Server =
10.0.0.30
Interface to FTP Server =
10.0.0.31
Following is my
configuration:
-----------------------------
ip address add 10.0.0.1/24 brd + dev eth0
ip address add 213.244.0.254/24 brd + dev eth1
ip address add 222.240.0.254/24 brd + dev eth2
ip address add 201.10.0.254/24 brd + dev eth3
ip rule add prio 5 table main
ip route add default via 213.244.0.1 dev eth1 src 213.244.0.254 proto static table 10
ip route append prohibit default table 10 metric 1 proto static
ip route add default via 222.240.0.1 dev eth2 src 222.240.0.254 proto static table 20
ip route append prohibit default table 20 metric 1 proto static
ip route add default via 201.10.0.1 dev eth3 src 201.10.0.254 proto static table 30
ip route append prohibit default table 30 metric 1 proto static
ip rule add prio 10 from 213.244.0.0/24 table 10
ip rule add prio 20 from 222.240.0.0/24 table 20
ip rule add prio 30 from 201.10.0.0/24 table 30
ip rule add prio 40 table 40
ip route add default table 40 proto static nexthop via 213.244.0.1 dev eth1 weight 1 nexthop via 222.240.0.1 dev eth2 weight 1 nexthop via 201.10.0.1 dev eth3 weight 1
ip address add 213.244.0.254/24 brd + dev eth1
ip address add 222.240.0.254/24 brd + dev eth2
ip address add 201.10.0.254/24 brd + dev eth3
ip rule add prio 5 table main
ip route add default via 213.244.0.1 dev eth1 src 213.244.0.254 proto static table 10
ip route append prohibit default table 10 metric 1 proto static
ip route add default via 222.240.0.1 dev eth2 src 222.240.0.254 proto static table 20
ip route append prohibit default table 20 metric 1 proto static
ip route add default via 201.10.0.1 dev eth3 src 201.10.0.254 proto static table 30
ip route append prohibit default table 30 metric 1 proto static
ip rule add prio 10 from 213.244.0.0/24 table 10
ip rule add prio 20 from 222.240.0.0/24 table 20
ip rule add prio 30 from 201.10.0.0/24 table 30
ip rule add prio 40 table 40
ip route add default table 40 proto static nexthop via 213.244.0.1 dev eth1 weight 1 nexthop via 222.240.0.1 dev eth2 weight 1 nexthop via 201.10.0.1 dev eth3 weight 1
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -j
MASQUERADE
iptables -t filter -N keep_state
iptables -t filter -A keep_state -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t filter -A keep_state -j RETURN
iptables -t nat -N keep_state
iptables -t nat -A keep_state -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A keep_state -j RETURN
iptables -t nat -A PREROUTING -j keep_state
iptables -t nat -A POSTROUTING -j keep_state
iptables -t nat -A OUTPUT -j keep_state
iptables -t filter -A INPUT -j keep_state
iptables -t filter -A FORWARD -j keep_state
iptables -t filter -A OUTPUT -j keep_state
iptables -t nat -I PREROUTING -d 213.244.0.20 -j DNAT --to 10.0.0.254
iptables -t filter -N keep_state
iptables -t filter -A keep_state -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t filter -A keep_state -j RETURN
iptables -t nat -N keep_state
iptables -t nat -A keep_state -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A keep_state -j RETURN
iptables -t nat -A PREROUTING -j keep_state
iptables -t nat -A POSTROUTING -j keep_state
iptables -t nat -A OUTPUT -j keep_state
iptables -t filter -A INPUT -j keep_state
iptables -t filter -A FORWARD -j keep_state
iptables -t filter -A OUTPUT -j keep_state
iptables -t nat -I PREROUTING -d 213.244.0.20 -j DNAT --to 10.0.0.254
iptables -t nat -I PREROUTING -d 213.244.0.30 -j DNAT
--to 10.0.0.30
iptables -t nat -I PREROUTING -d 213.244.0.31 -j DNAT
--to 10.0.0.31
Best
regards,
Sureerat P.
