论坛徽章:: 0

电梯直达

1楼 [收藏(0)] [报告]

发表于 2012-06-11 14:54 |只看该作者 |倒序浏览

本帖最后由 like310101 于 2012-06-12 08:27 编辑

我采用openstack+kvm部署了一套环境，启动了两个虚拟机，分别作为LVS,RS节点（采用的LVS的DR方式）：

RS上有两个IP,一个是真实IP：172.16.0.10，一个lvs的VIP：172.16.0.252

我需要RS上发出的源地址为172.16.0.252的包做SNAT，我在RS上加了一条规则：
iptables -t nat -I POSTROUTING -s 172.16.0.252 -j SNAT --to 192.168.4.252

但是这条规则没起作用，通过iptatables -t nat -nL -x -v看到如下结果：
[root@server-6 ~]# iptables -t nat -nL -x -v
Chain PREROUTING (policy ACCEPT 1264 packets, 54400 bytes)
pkts    bytes target    prot opt in    out    source             destination
   9    540 REDIRECT tcp  --  *    *    0.0.0.0/0          172.16.0.252       tcp dpt:8080

Chain POSTROUTING (policy ACCEPT 24 packets, 7872 bytes)
pkts    bytes target    prot opt in    out    source             destination
   0       0 SNAT    all  --  *    *    172.16.0.252       0.0.0.0/0          to:192.168.4.252

Chain OUTPUT (policy ACCEPT 24 packets, 7872 bytes)
pkts    bytes target    prot opt in    out    source             destination

通过tcpdump看到源地址为172.16.0.252的包并没有被改为192.168.4.252:
[root@server-6 ~]# tcpdump host 10.74.213.14 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
23:37:40.216211 IP 10.74.213.14.ssslog-mgr > 172.16.0.252.webcache: Flags [S], seq 427543233, win 5840, options [mss 1460,sackOK,TS val 1031074110 ecr 0,nop,wscale 7], length 0
23:37:40.216267 IP 172.16.0.252.webcache > 10.74.213.14.ssslog-mgr: Flags [S.], seq 2876869229, ack 427543234, win 5792, options [mss 1460,sackOK,TS val 22442 ecr 1031074110,nop,wscale 7], length 0
23:37:43.215100 IP 10.74.213.14.accord-mgc > 172.16.0.252.webcache: Flags [S], seq 427543233, win 5840, options [mss 1460,sackOK,TS val 1031077110 ecr 0,nop,wscale 7], length 0
23:37:43.215154 IP 172.16.0.252.webcache > 10.74.213.14.accord-mgc: Flags [S.], seq 2929165881, ack 427543234, win 5792, options [mss 1460,sackOK,TS val 25441 ecr 1031077110,nop,wscale 7], length 0
23:37:43.806707 IP 172.16.0.252.webcache > 10.74.213.14.ssslog-mgr: Flags [S.], seq 2876869229, ack 427543234, win 5792, options [mss 1460,sackOK,TS val 26033 ecr 1031074110,nop,wscale 7], length 0
23:37:44.606704 IP 172.16.0.252.webcache > 10.74.213.14.dmidi: Flags [S.], seq 1453381826, ack 3313716538, win 5792, options [mss 1460,sackOK,TS val 26833 ecr 1030984301,nop,wscale 7], length 0
23:37:46.806711 IP 172.16.0.252.webcache > 10.74.213.14.accord-mgc: Flags [S.], seq 2929165881, ack 427543234, win 5792, options [mss 1460,sackOK,TS val 29033 ecr 1031077110,nop,wscale 7], length 0
23:37:48.006716 IP 172.16.0.252.webcache > 10.74.213.14.scol: Flags [S.], seq 1499210261, ack 3313716538, win 5792, options [mss 1460,sackOK,TS val 30233 ecr 1030987301,nop,wscale 7], length 0
23:37:49.214910 IP 10.74.213.14.anthony-data > 172.16.0.252.webcache: Flags [S], seq 427543233, win 5840, options [mss 1460,sackOK,TS val 1031083110 ecr 0,nop,wscale 7], length 0

另外，经过测试发现，如果是RS主动发起的请求，SNAT是没有问题的，如果是RS响应外界的请求，那么SNAT就不起作用。

文库|博客

返回列表

Chinaunix › 论坛 › IT运维 › 网络技术 › 请教一个 iptable的问题

请教一个 iptable的问题 [复制链接]

浏览过的版块