Hello,
I'm doing a master/slave implementation based on the IP masquerading
infrastructure present in the Linux kernel (v2.2), and using the
utilities ipchains (port redirection and IP masquerading) and
ipmasqadm (port forwarding) for configuration. However, I hit a
problem with that and I'd really appreciate it if you could help me
sort it out.
Let's say we have a simple environment as follows:
Masquerador DHost
IHost (Master) (Slave)
---+--- ---+-----+--- ---+---
| | | |
-+---// Internet //---+- -+---// Internal LAN//---+-
When an access from IHost to Masquerador happens, IP masquerading works
roughly as follows (please correct me if I'm wrong):
- Masquerador receives packet from IHost and then checks its portfw
table to learn whether it should be redirected to another host/port
set. If positive, it replaces destination IP by internal LAN IP of
the real destination and sends packet to destination. Let's assume
it's supposed to redirect the connection to DHost.
- DHost receives the packet alledgedly from IHost, and then accepts
the connection. DHost sends the answer to IHost, but as its default
gateway is Masquerador, the packet will go through it.
- Masquerador receives packet from DHost, saves the info about
the packet in a table (src IP, src port, dest IP and dest port),
replaces src IP by own IP and sends packet to IHost.
The problem with that implementation for my application is this:
- DHost has to be in the same internal LAN as Masquerador. I'd like to be
able to set remote slaves, that could be in any location reachable by
the master, regardless of it being in the LAN or somewhere else in the
Internet.
- DHost has to use Masquerador as its default gateway, so if Masquerador
dies, nobody can access DHost, not even directly (assuming the IP
address assigned to it was routeable, access to it would be expected).
To solve this problem, I believe something like this would help:
- Masquerador receives packet from IHost and then checks its portfw
table to learn whether it should be redirected to another host/port
set. If positive, it replaces *src IP by its public net Ethernet IP
address* and the destination IP by internal LAN IP of the real
destination and sends packet to destination. Let's assume it's
supposed to redirect the connection to DHost.
- DHost receives the packet alledgedly from *Masquerador*, and then
accepts the connection. DHost sends the answer to *Masquerador* (no
need to have the default gateway set to it -- it could be set, but
it's not a requirement).
- Masquerador receives packet from DHost, saves the info about
the packet in a table (src IP, src port, dest IP and dest port),
replaces src IP by own IP and sends packet to IHost.
That would allow the DHosts to be anywhere in the network, even in
remote networks across the Internet (I believe).
Questions:
- Is this a consistent / valid model?? Do you see any problems with this
scheme??
- Is there any way to do this using ipchains?? If positive, could
you please give me some directions on how to go about doing it?
- If there is no way to do this using just ipchains, is there any
other "ready-to-go" scheme I could use to make this work?? I'm
thinking whether LVS would help, but I'm not familiar with how LVS
works (plus I have some space constraints, and ipchains is already in
my package, whereas LVS is not ...).
- If none of the above solves my problem, I'd be willing to create
an ipchains module that works the way I need it to. In this case,
could you please give me some pointers on the best current
ipchains kernel module I should use as a starting point?
I hope you can help me, and I thank you in advance for your attention.
Later,
Ivan
-
: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
