Hello Nguyen Dinh Nam, Thank you for your reply. Please you also suggest me how to fix the problem. What do you mean is I should not follow nano howto? Kindly provide me some clue. Thank you. Best regards, Sureerat P. -----Original Message----- From: Nguyen Dinh Nam [mailto:64vn@xxxxxxxxxx] Sent: Wednesday, February 16, 2005 5:29 PM To: Sureerat P. (EQHO) Cc: lartc@xxxxxxxxxxxxxxx Subject: Re: Load Balancer setting for Public Servers You are facing the CONNMARK problem! Every people follow nano howto faces CONNMARK problem, no need to read your config :) Sureerat P. (EQHO) wrote: > Hello, > > I have finished setting up the load balancer with IPROUTE ... also > patch the kernel to support DGD and now it's working fine with the > valuable guide at LARTC website, Julian Anastasov, and the kind people > in this mailing list. Now I would like to launch a web server and a > ftp server to the public but I'm stuck into a problem and really need > your help. > > Currently internal users can access internet and loadbalancing feature > is working well, but users in external network can't access my > servers. Please someone help investigate my config and suggest me what > is wrong or missing. Thank you very much. > > My network design is like this: > > +----------+ +----------+ +----------+ > | ISP1 | | ISP3 | | ISP3 | > +----------+ +----------+ +----------+ > | | | > | | | > | +--------------+ | > |_________| LoadBalancer |_________| > +--------------+ > | > | > +--------------+ > _________| Firewall |_________ > | +--------------+ | > | | | > | | | > +----------+ +----------+ +----------+ > |Web Server| |FTP Server| | LAN | > +----------+ +----------+ +----------+ > > eth0 - Internal Network > ----------------------- > IP = 10.0.0.1/24 > > eth1 - route to ISP1 > -------------------- > IP = 213.244.0.254/24 > GW = 213.244.0.1 > > eth2 - route to ISP2 > -------------------- > IP = 222.240.0.254/24 > GW = 222.240.0.1 > > eth3 - route to ISP3 > -------------------- > IP = 201.10.0.254/24 > GW = 201.10.0.1 > > Public Server > ------------- > Web Server = 213.244.0.30 > FTP Server = 213.244.0.31 > (Firewall = 213.244.0.20) > > Firewall > -------- > Interface to LoadBalancer = 10.0.0.254 > Interface to Web Server = 10.0.0.30 > Interface to FTP Server = 10.0.0.31 > > Following is my configuration: > ----------------------------- > ip address add 10.0.0.1/24 brd + dev eth0 > ip address add 213.244.0.254/24 brd + dev eth1 > ip address add 222.240.0.254/24 brd + dev eth2 > ip address add 201.10.0.254/24 brd + dev eth3 > ip rule add prio 5 table main > ip route add default via 213.244.0.1 dev eth1 src 213.244.0.254 proto > static table 10 > ip route append prohibit default table 10 metric 1 proto static > ip route add default via 222.240.0.1 dev eth2 src 222.240.0.254 proto > static table 20 > ip route append prohibit default table 20 metric 1 proto static > ip route add default via 201.10.0.1 dev eth3 src 201.10.0.254 proto > static table 30 > ip route append prohibit default table 30 metric 1 proto static > ip rule add prio 10 from 213.244.0.0/24 table 10 > ip rule add prio 20 from 222.240.0.0/24 table 20 > ip rule add prio 30 from 201.10.0.0/24 table 30 > ip rule add prio 40 table 40 > ip route add default table 40 proto static nexthop via 213.244.0.1 dev > eth1 weight 1 nexthop via 222.240.0.1 dev eth2 weight 1 nexthop via > 201.10.0.1 dev eth3 weight 1 > iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -j MASQUERADE > iptables -t filter -N keep_state > iptables -t filter -A keep_state -m state --state RELATED,ESTABLISHED > -j ACCEPT > iptables -t filter -A keep_state -j RETURN > iptables -t nat -N keep_state > iptables -t nat -A keep_state -m state --state RELATED,ESTABLISHED -j > ACCEPT > iptables -t nat -A keep_state -j RETURN > iptables -t nat -A PREROUTING -j keep_state > iptables -t nat -A POSTROUTING -j keep_state > iptables -t nat -A OUTPUT -j keep_state > iptables -t filter -A INPUT -j keep_state > iptables -t filter -A FORWARD -j keep_state > iptables -t filter -A OUTPUT -j keep_state > iptables -t nat -I PREROUTING -d 213.244.0.20 -j DNAT --to 10.0.0.254 > iptables -t nat -I PREROUTING -d 213.244.0.30 -j DNAT --to 10.0.0.30 > iptables -t nat -I PREROUTING -d 213.244.0.31 -j DNAT --to 10.0.0.31 > Best regards, > > Sureerat P. > _______________________________________________ LARTC mailing list / LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
