Help with IPF

[hainguyen1402]

Dear all,
I have built and configured LVS on my system with Director is Linux server and clusters are my two FreeBSD servers.
I configured LVS successfully, and base on what I read, on real server, I have to configure like:

RealServer1 # iptables –t nat –A PREROUTING –d 172.16.0.1 –p tcp –dport 80 –j REDIRECT –to-ports 80

But, iptable works on Linux server, FreeBSD does not support it, so what my problem is how to configure FreeBSD server to receive packet from Director of LVS (I use LVS/DR to load balancing).

Thank all!

 

[graudeejs]

Not sure if I understand your problem correctly, but take a look at FreeBSD firewalls ipfw(8) and pf(4)

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html

 

[hainguyen1402]

I mean that I want to set up my cluster like the diagram below

The LV1 I use Linux Server, and 2 real server I use FreeBSD servers.
What I need is how to configure real servers can relieve the redirect packet from LV1 transfers to.

 

[graudeejs]

Hi all,

We believe this may be of some interest to list members, and
apologise in advance for any duplicates you may receive.

We are pleased to announce DIFFUSE v0.1, our first release of a
system enabling FreeBSD's IPFW firewall subsystem to classify IP
traffic based on statistical traffic properties.

With DIFFUSE v0.1, IPFW computes statistics (such as packet lengths
or inter-packet time intervals) for observed flows, and uses
ML (machine learning) techniques to assign flows into classes.
In addition to traditional packet inspection rules, IPFW rules
may now also be expressed in terms of traffic statistics
or classes identified by ML classification. This can be helpful
when direct packet inspection is problematic (perhaps for administrative
reasons, or because port numbers do not reliably identify classes of
applications).

DIFFUSE also enables one instance of IPFW to send flow information
and classes to other IPFW instances, which then can act on such
traffic (e.g. prioritise, accept, deny, etc) according to its class.
This allows for distributed architectures, where classification at
one location in your network is used to control fire-walling or
rate-shaping actions at other locations.

DIFFUSE v0.1 contains an example classifier model for identifying
real-time first person shooter game traffic. In the next release we
will include a classifier model to detect Skype traffic.

The project site (Link http://caia.swin.edu.au/urp/diffuse) contains a more
comprehensive introduction, including application examples, links to
related work and documentation describing the design of our software.

DIFFUSE v0.1 is a set of patches for FreeBSD-CURRENT, and can be
obtained directly from
Link http://caia.swin.edu.au/urp/diffuse/downloads.html

The software was developed as part of the DIFFUSE research project at
Swinburne University's Centre for Advanced Internet Architectures. The
project has been made possible in part by a grant from the Cisco
University Research Program Fund at Community Foundation Silicon Valley.

We welcome your feedback and hope you enjoy playing with the code and
tools.

Cheers,

Sebastian Zander and Grenville Armitage

Link http://caia.swin.edu.au

http://caia.swin.edu.au/urp/diffuse/
It's available in -CURRENT

 

[osman]

I am not LVS user, but i assume that LV1 is not altering the incoming packets and its just forwarding the packet to real server/next hop. And the gateway of real server is LV1 which is altering the reply packets and replacing source ip in packet with its ip. Otherwise it not makes sense that it can work. (if you have given wrong iptables workaround and diagram then don't blame me)

If you decide to use ipfw, an example rule on Real Server will be like

ipfw add 100 fwd 172.26.0.101,80 tcp from any to 172.26.0.1 dst-port 80

I think still ipfw forward option is not in kernel by default. Its better if you compile kernel with ipfw forward and other options as described in docs.

options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPFIREWALL_FORWARD

And you will need to enable ip forwarding on Real Server otherwise it will simply drop the packet because its destined for 172.26.0.1. So you will need to add this in /etc/rc.conf

gateway_enable="YES"

In case of PF enable ip forwarding and example rule will be like (replace fxp0 with your interface name)

rdr on fxp0 proto tcp from any to 172.26.0.1 port 80 -> 172.26.0.101 port 80

Regards
usman

 

[hainguyen1402]

Thanks for all reply.
But I mean that, LV1 is load balancer, It forwards the clients' request packet to real servers, then Real servers will directly send respond to clients, However, clients do not know Real server, they just know LV1 (virtual IP Add). And my needed is how to configure Real servers send responds to clients with source IP address is Virtual IP address.

Best regard
Hai.Nguyen