Chinaunix

标题: ipvsadm 转发问题 [打印本页]

作者: skywh_2001 时间: 2007-05-15 09:04
标题: ipvsadm 转发问题
负载均衡器的双网卡，对内是10.0.0.1 对外是192.168.0.24

NAT模式具体配置和状况如下：

1$echo 1 > /proc/sys/net/ipv4/ip_forward
2.ipvsadm -C
ipvsadm -A -t 192.168.0.24:21 -s rr
ipvsadm -a -t 192.168.0.24:21 -r 10.0.0.11:21 -m
ipvsadm -a -t 192.168.0.24:21 -r 10.0.0.12:21 -m
ipvsadm -a -t 192.168.0.24:21 -r 10.0.0.13:21 -m

3.配置real server ip 地址，指定网关为10.0.0.1
全部设置vsftpd服务器

客户端是windows
通过ftp链接192.168.0.24，在lvs服务器上看到有分发，但是全部都没有连接上。
请高手指点WHY
[root@localhost ~]# ipvsadm -Ln
IP Virtual Server version 1.2.21 (size=4096)
Prot LocalAddressort Scheduler Flags
-> RemoteAddressort Forward Weight ActiveConn InActConn
TCP 192.168.0.24:21 rr
-> 192.168.0.24:21 Masq 1 0 1
-> 192.168.0.24:21 Masq 1 0 1
-> 192.168.0.24:21 Masq 1 0 1

[ 本帖最后由 skywh_2001 于 2007-5-15 09:16 编辑 ]

作者: qtdszws 时间: 2007-05-15 09:19
ipvsadm -Lcn
看看有没有连接?

1.关闭vs和rs上的iptables
2.insmod ip_vs_ftp

作者: skywh_2001 时间: 2007-05-15 10:31
ipvsadm -Lcn
出现了一次
IPVS connection entires
pro expire state       source                      virtual                destination
Tcp 00:58    SYN_RECV 192.168.0.188:1060 192.168.0.24:21 10.0.0.11:21
Tcp 00:59    SYN_RECV 192.168.0.188:1062 192.168.0.24:21 10.0.0.12:21
Tcp 00:56    SYN_RECV 192.168.0.188:1061 192.168.0.24:21 10.0.0.13:21

而后ipvsadm -Lcn
没有任何信息

客户端：ftp：connect：未知错误

insmod ip_vs_ftp在哪台机器？VS?RS? 此模块在哪儿？

[ 本帖最后由 skywh_2001 于 2007-5-15 10:33 编辑 ]

作者: qtdszws 时间: 2007-05-15 10:37
你的rs正常吗?收到数据包并做出响应了吗?
1.在rs上tcpdump -i eth0 -nnn
2.nestat -an查看连接状态

ip_vs_ftp在vs上insmod

作者: skywh_2001 时间: 2007-05-15 11:01
tcpdump -i eth0 -nnn的结果

15:01:26.970037 IP 192.168.0.188.138 > 192.168.0.255.138: NBT UDP PACKET(13

15:02:32.296146 IP 192.168.0.188.138 > 192.168.0.255.138: NBT UDP PACKET(13

15:04:52.884608 arp who-has 192.168.0.24 tell 192.168.0.188
15:04:52.888309 arp who-has 10.0.0.13 tell 10.0.0.1
15:05:37.777385 arp who-has 10.0.0.12 tell 10.0.0.1
15:05:37.777410 arp reply 10.0.0.12 is-at 00:19:5b:69:d0:6f
15:05:37.777472 IP 192.168.0.188.1040 > 10.0.0.12.21: S 419494914:419494914(0) win 65535 <mss 1460,nop,nop,sackOK>
15:05:37.777567 IP 10.0.0.12.21 > 192.168.0.188.1040: S 3744967018:3744967018(0) ack 419494915 win 5840 <mss 1460,nop,nop,sackOK>
15:05:40.789996 IP 192.168.0.188.1040 > 10.0.0.12.21: S 419494914:419494914(0) win 65535 <mss 1460,nop,nop,sackOK>
15:05:40.790046 IP 10.0.0.12.21 > 192.168.0.188.1040: S 3744967018:3744967018(0) ack 419494915 win 5840 <mss 1460,nop,nop,sackOK>
15:05:40.977576 IP 10.0.0.12.21 > 192.168.0.188.1040: S 3744967018:3744967018(0) ack 419494915 win 5840 <mss 1460,nop,nop,sackOK>
15:05:42.777647 arp who-has 10.0.0.1 tell 10.0.0.12
15:05:42.777746 arp reply 10.0.0.1 is-at 00:0d:88:47:66:2a
15:05:46.805448 IP 192.168.0.188.1040 > 10.0.0.12.21: S 419494914:419494914(0) win 65535 <mss 1460,nop,nop,sackOK>
15:05:46.805498 IP 10.0.0.12.21 > 192.168.0.188.1040: S 3744967018:3744967018(0) ack 419494915 win 5840 <mss 1460,nop,nop,sackOK>
15:05:46.977817 IP 10.0.0.12.21 > 192.168.0.188.1040: S 3744967018:3744967018(0) ack 419494915 win 5840 <mss 1460,nop,nop,sackOK>
15:05:48.921648 arp who-has 10.0.0.11 tell 10.0.0.1
15:05:49.921678 arp who-has 10.0.0.11 tell 10.0.0.1
15:05:50.921704 arp who-has 10.0.0.11 tell 10.0.0.1
15:05:51.949716 arp who-has 10.0.0.11 tell 10.0.0.1
15:05:52.949750 arp who-has 10.0.0.11 tell 10.0.0.1
15:05:53.949765 arp who-has 10.0.0.11 tell 10.0.0.1
15:05:57.965867 arp who-has 10.0.0.11 tell 10.0.0.1
15:05:58.965894 arp who-has 10.0.0.11 tell 10.0.0.1
15:05:58.978325 IP 10.0.0.12.21 > 192.168.0.188.1040: S 3744967018:3744967018(0) ack 419494915 win 5840 <mss 1460,nop,nop,sackOK>
15:05:59.965921 arp who-has 10.0.0.11 tell 10.0.0.1
15:06:23.179307 IP 10.0.0.12.21 > 192.168.0.188.1040: S 3744967018:3744967018(0) ack 419494915 win 5840 <mss 1460,nop,nop,sackOK>
15:06:26.960923 IP 192.168.0.188.138 > 192.168.0.255.138: NBT UDP PACKET(13

15:06:28.179474 arp who-has 10.0.0.1 tell 10.0.0.12
15:06:28.179565 arp reply 10.0.0.1 is-at 00:0d:88:47:66:2a
15:07:11.381243 IP 10.0.0.12.21 > 192.168.0.188.1040: S 3744967018:3744967018(0) ack 419494915 win 5840 <mss 1460,nop,nop,sackOK>
15:07:16.381412 arp who-has 10.0.0.1 tell 10.0.0.12
15:07:16.381500 arp reply 10.0.0.1 is-at 00:0d:88:47:66:2a

[root@localhost ~]# netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address             Foreign Address          State
tcp       0    0 127.0.0.1:2208             0.0.0.0:*                LISTEN
tcp       0    0 0.0.0.0:111                   0.0.0.0:*                LISTEN
tcp       0    0 0.0.0.0:21                   0.0.0.0:*                LISTEN
tcp       0    0 10.0.0.12:21                192.168.0.188:1045       SYN_RECV
tcp       0    0 127.0.0.1:25                0.0.0.0:*                LISTEN
tcp       0    0 0.0.0.0:636                   0.0.0.0:*                LISTEN
tcp       0    0 :::22                            :::*                      LISTEN
tcp       0    0 ::1:631                            :::*                      LISTEN
udp       0    0 0.0.0.0:32768             0.0.0.0:*
udp       0    0 0.0.0.0:5353             0.0.0.0:*
udp       0    0 0.0.0.0:111                0.0.0.0:*
udp       0    0 0.0.0.0:630                0.0.0.0:*
udp       0    0 0.0.0.0:631                0.0.0.0:*
udp       0    0 0.0.0.0:633                0.0.0.0:*
udp       0    0 :::32769                   :::*
udp       0    0 :::5353                   :::*

[ 本帖最后由 skywh_2001 于 2007-5-15 15:34 编辑 ]

作者: qtdszws 时间: 2007-05-15 16:45
echo 1 > /proc/sys/net/ipv4/ip_forward
cat /proc/sys/net/ipv4/ip_forward

作者: skywh_2001 时间: 2007-05-15 17:36
在vs上已经改过了

[root@localhost ~]# tcpdump -i eth0 -nnn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
17:16:35.424636 arp who-has 192.168.0.24 tell 192.168.0.188
17:16:35.430472 arp who-has 10.0.0.1 tell 10.0.0.12
17:16:39.186547 arp who-has 10.0.0.1 tell 10.0.0.11
17:16:43.314420 IP 192.168.0.188.1078 > 10.0.0.13.21: S 3412756079:3412756079(0) win 65535 <mss 1460,nop,nop,sackOK>
17:16:43.316029 arp who-has 10.0.0.1 tell 10.0.0.13
17:16:43.316097 arp reply 10.0.0.1 is-at 00:0d:88:47:66:2a
17:16:43.316103 IP 10.0.0.13.21 > 192.168.0.188.1078: S 3134671584:3134671584(0) ack 3412756080 win 5840 <mss 1460,nop,nop,sackOK>
17:16:46.182356 IP 192.168.0.188.1078 > 10.0.0.13.21: S 3412756079:3412756079(0) win 65535 <mss 1460,nop,nop,sackOK>
17:16:46.182407 IP 10.0.0.13.21 > 192.168.0.188.1078: S 3134671584:3134671584(0) ack 3412756080 win 5840 <mss 1460,nop,nop,sackOK>
17:16:47.112361 IP 10.0.0.13.21 > 192.168.0.188.1078: S 3134671584:3134671584(0) ack 3412756080 win 5840 <mss 1460,nop,nop,sackOK>
17:16:51.180172 arp who-has 10.0.0.13 tell 10.0.0.1
17:16:51.180193 arp reply 10.0.0.13 is-at 00:19:5b:82:7a:97
17:16:52.203125 IP 192.168.0.188.1078 > 10.0.0.13.21: S 3412756079:3412756079(0) win 65535 <mss 1460,nop,nop,sackOK>
17:16:52.203175 IP 10.0.0.13.21 > 192.168.0.188.1078: S 3134671584:3134671584(0) ack 3412756080 win 5840 <mss 1460,nop,nop,sackOK>
17:16:53.312859 IP 10.0.0.13.21 > 192.168.0.188.1078: S 3134671584:3134671584(0) ack 3412756080 win 5840 <mss 1460,nop,nop,sackOK>
17:17:05.313823 IP 10.0.0.13.21 > 192.168.0.188.1078: S 3134671584:3134671584(0) ack 3412756080 win 5840 <mss 1460,nop,nop,sackOK>
17:17:10.314194 arp who-has 10.0.0.1 tell 10.0.0.13
17:17:10.314282 arp reply 10.0.0.1 is-at 00:0d:88:47:66:2a
17:17:29.315747 IP 10.0.0.13.21 > 192.168.0.188.1078: S 3134671584:3134671584(0) ack 3412756080 win 5840 <mss 1460,nop,nop,sackOK>
17:18:17.519616 IP 10.0.0.13.21 > 192.168.0.188.1078: S 3134671584:3134671584(0) ack 3412756080 win 5840 <mss 1460,nop,nop,sackOK>
17:18:22.519988 arp who-has 10.0.0.1 tell 10.0.0.13
17:18:22.520077 arp reply 10.0.0.1 is-at 00:0d:88:47:66:2a

客户端windows状况依旧，仍无连接
ftp:connect:未知错误号

[ 本帖最后由 skywh_2001 于 2007-5-15 17:39 编辑 ]

作者: qtdszws 时间: 2007-05-15 17:40
你的ftp服务已经收到连接请求，并做出应答，但是客户端收不到，因此有重发现象。

在rs->vs->client中某个地方有问题

1.你的默认路由是经过vs吗?
2.你能ping vs吗?

作者: skywh_2001 时间: 2007-05-15 20:40
VS双网卡，对内是10.0.0.1 对外是192.168.0.24
配置real server ip 地址，指定网关为10.0.0.1

rs能ping通vs

作者: qtdszws 时间: 2007-05-16 08:38
1.关闭vs上iptables
service iptables stop

2.在vs内网网卡上

tcpdump -i eth1 -nnn 'tcp and port 21'
看看输出

作者: skywh_2001 时间: 2007-05-16 08:38
我已经关过所有的iptables了
在VS上tcpdump 内网网卡的输出
[root@localhost ~]# tcpdump -i eth0 -nnn 'tcp and port 21'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
08:46:50.782895 IP 10.0.0.11.21 > 192.168.0.188.1064: S 3075687295:3075687295(0) ack 3437986087 win 5840 <mss 1460,nop,nop,sackOK>
08:47:34.769050 IP 192.168.0.188.1066 > 192.168.0.24.21: S 2974719318:2974719318(0) win 65535 <mss 1460,nop,nop,sackOK>
08:47:34.769090 IP 192.168.0.188.1066 > 10.0.0.13.21: S 2974719318:2974719318(0) win 65535 <mss 1460,nop,nop,sackOK>
08:47:34.769208 IP 10.0.0.13.21 > 192.168.0.188.1066: S 3170196575:3170196575(0) ack 2974719319 win 5840 <mss 1460,nop,nop,sackOK>
08:47:37.670026 IP 192.168.0.188.1066 > 192.168.0.24.21: S 2974719318:2974719318(0) win 65535 <mss 1460,nop,nop,sackOK>
08:47:37.670057 IP 192.168.0.188.1066 > 10.0.0.13.21: S 2974719318:2974719318(0) win 65535 <mss 1460,nop,nop,sackOK>
08:47:37.670165 IP 10.0.0.13.21 > 192.168.0.188.1066: S 3170196575:3170196575(0) ack 2974719319 win 5840 <mss 1460,nop,nop,sackOK>
08:47:38.178682 IP 192.168.0.188.1067 > 192.168.0.24.21: S 2544506208:2544506208(0) win 65535 <mss 1460,nop,nop,sackOK>
08:47:38.178719 IP 192.168.0.188.1067 > 10.0.0.12.21: S 2544506208:2544506208(0) win 65535 <mss 1460,nop,nop,sackOK>
08:47:38.178840 IP 10.0.0.12.21 > 192.168.0.188.1067: S 3161029355:3161029355(0) ack 2544506209 win 5840 <mss 1460,nop,nop,sackOK>
08:47:38.568037 IP 10.0.0.13.21 > 192.168.0.188.1066: S 3170196575:3170196575(0) ack 2974719319 win 5840 <mss 1460,nop,nop,sackOK>
08:47:38.775236 IP 10.0.0.11.21 > 192.168.0.188.1064: S 3075687295:3075687295(0) ack 3437986087 win 5840 <mss 1460,nop,nop,sackOK>
08:47:40.755050 IP 192.168.0.188.1068 > 192.168.0.24.21: S 2381838077:2381838077(0) win 65535 <mss 1460,nop,nop,sackOK>
08:47:40.755089 IP 192.168.0.188.1068 > 10.0.0.11.21: S 2381838077:2381838077(0) win 65535 <mss 1460,nop,nop,sackOK>
08:47:40.755244 IP 10.0.0.11.21 > 192.168.0.188.1068: S 3165769839:3165769839(0) ack 2381838078 win 5840 <mss 1460,nop,nop,sackOK>
08:47:41.190409 IP 192.168.0.188.1067 > 192.168.0.24.21: S 2544506208:2544506208(0) win 65535 <mss 1460,nop,nop,sackOK>
08:47:41.190429 IP 192.168.0.188.1067 > 10.0.0.12.21: S 2544506208:2544506208(0) win 65535 <mss 1460,nop,nop,sackOK>
08:47:41.190533 IP 10.0.0.12.21 > 192.168.0.188.1067: S 3161029355:3161029355(0) ack 2544506209 win 5840 <mss 1460,nop,nop,sackOK>
08:47:41.393178 IP 10.0.0.12.21 > 192.168.0.188.1067: S 3161029355:3161029355(0) ack 2544506209 win 5840 <mss 1460,nop,nop,sackOK>
08:47:43.704963 IP 192.168.0.188.1068 > 192.168.0.24.21: S 2381838077:2381838077(0) win 65535 <mss 1460,nop,nop,sackOK>
08:47:43.704994 IP 192.168.0.188.1068 > 10.0.0.11.21: S 2381838077:2381838077(0) win 65535 <mss 1460,nop,nop,sackOK>
08:47:43.705002 IP 192.168.0.188.1066 > 192.168.0.24.21: S 2974719318:2974719318(0) win 65535 <mss 1460,nop,nop,sackOK>
08:47:43.705016 IP 192.168.0.188.1066 > 10.0.0.13.21: S 2974719318:2974719318(0) win 65535 <mss 1460,nop,nop,sackOK>
08:47:43.705125 IP 10.0.0.13.21 > 192.168.0.188.1066: S 3170196575:3170196575(0) ack 2974719319 win 5840 <mss 1460,nop,nop,sackOK>
08:47:43.705135 IP 10.0.0.11.21 > 192.168.0.188.1068: S 3165769839:3165769839(0) ack 2381838078 win 5840 <mss 1460,nop,nop,sackOK>
08:47:44.568213 IP 10.0.0.13.21 > 192.168.0.188.1066: S 3170196575:3170196575(0) ack 2974719319 win 5840 <mss 1460,nop,nop,sackOK>
08:47:44.974249 IP 10.0.0.11.21 > 192.168.0.188.1068: S 3165769839:3165769839(0) ack 2381838078 win 5840 <mss 1460,nop,nop,sackOK>
08:47:47.225340 IP 192.168.0.188.1067 > 192.168.0.24.21: S 2544506208:2544506208(0) win 65535 <mss 1460,nop,nop,sackOK>
08:47:47.225374 IP 192.168.0.188.1067 > 10.0.0.12.21: S 2544506208:2544506208(0) win 65535 <mss 1460,nop,nop,sackOK>
08:47:47.225477 IP 10.0.0.12.21 > 192.168.0.188.1067: S 3161029355:3161029355(0) ack 2544506209 win 5840 <mss 1460,nop,nop,sackOK>
08:47:47.393590 IP 10.0.0.12.21 > 192.168.0.188.1067: S 3161029355:3161029355(0) ack 2544506209 win 5840 <mss 1460,nop,nop,sackOK>
08:47:49.739894 IP 192.168.0.188.1068 > 192.168.0.24.21: S 2381838077:2381838077(0) win 65535 <mss 1460,nop,nop,sackOK>
08:47:49.739927 IP 192.168.0.188.1068 > 10.0.0.11.21: S 2381838077:2381838077(0) win 65535 <mss 1460,nop,nop,sackOK>
08:47:49.740070 IP 10.0.0.11.21 > 192.168.0.188.1068: S 3165769839:3165769839(0) ack 2381838078 win 5840 <mss 1460,nop,nop,sackOK>
08:47:50.973297 IP 10.0.0.11.21 > 192.168.0.188.1068: S 3165769839:3165769839(0) ack 2381838078 win 5840 <mss 1460,nop,nop,sackOK>
08:47:56.568564 IP 10.0.0.13.21 > 192.168.0.188.1066: S 3170196575:3170196575(0) ack 2974719319 win 5840 <mss 1460,nop,nop,sackOK>
08:47:59.394436 IP 10.0.0.12.21 > 192.168.0.188.1067: S 3161029355:3161029355(0) ack 2544506209 win 5840 <mss 1460,nop,nop,sackOK>
08:48:03.171360 IP 10.0.0.11.21 > 192.168.0.188.1068: S 3165769839:3165769839(0) ack 2381838078 win 5840 <mss 1460,nop,nop,sackOK>
08:48:20.769273 IP 10.0.0.13.21 > 192.168.0.188.1066: S 3170196575:3170196575(0) ack 2974719319 win 5840 <mss 1460,nop,nop,sackOK>
08:48:23.596095 IP 10.0.0.12.21 > 192.168.0.188.1067: S 3161029355:3161029355(0) ack 2544506209 win 5840 <mss 1460,nop,nop,sackOK>
08:48:27.167556 IP 10.0.0.11.21 > 192.168.0.188.1068: S 3165769839:3165769839(0) ack 2381838078 win 5840 <mss 1460,nop,nop,sackOK>
08:49:08.974685 IP 10.0.0.13.21 > 192.168.0.188.1066: S 3170196575:3170196575(0) ack 2974719319 win 5840 <mss 1460,nop,nop,sackOK>
08:49:11.799403 IP 10.0.0.12.21 > 192.168.0.188.1067: S 3161029355:3161029355(0) ack 2544506209 win 5840 <mss 1460,nop,nop,sackOK>
08:49:15.359853 IP 10.0.0.11.21 > 192.168.0.188.1068: S 3165769839:3165769839(0) ack 2381838078 win 5840 <mss 1460,nop,nop,sackOK>

着急呀！

[ 本帖最后由 skywh_2001 于 2007-5-16 08:54 编辑 ]

作者: qtdszws 时间: 2007-05-16 08:59
既然是内网网卡,怎么会有这样的包出现呢?
08:47:34.769050 IP 192.168.0.188.1066 > 192.168.0.24.21: S 2974719318:2974719318(0) win 65535 <mss 1460,nop,nop,sackOK>

1.你内网和外网网卡是独立的吧?
2.你的内网和外网是独立的吧?

作者: qtdszws 时间: 2007-05-16 09:33
1.根据你的信息判断你只有个网卡
2.包分析
08:47:34.769050 IP 192.168.0.188.1066 > 192.168.0.24.21: S 2974719318:2974719318(0) win 65535 <mss 1460,nop,nop,sackOK>
//clinet->vs

08:47:34.769090 IP 192.168.0.188.1066 > 10.0.0.13.21: S 2974719318:2974719318(0) win 65535 <mss 1460,nop,nop,sackOK>
//vs->rs

08:47:34.769208 IP 10.0.0.13.21 > 192.168.0.188.1066: S 3170196575:3170196575(0) ack 2974719319 win 5840 <mss 1460,nop,nop,sackOK>
//rs->vs

vs->client没有了
从10.0.0.13->192.168.0.188的路由目的地非本机，需要转发，只有允许转发，则vs/nat的output函数ip_vs_out才能得到处理，将源地址转换为192.168.0.24:21并发出去

08:47:37.670026 IP 192.168.0.188.1066 > 192.168.0.24.21: S 2974719318:2974719318(0) win 65535 <mss 1460,nop,nop,sackOK>
08:47:37.670057 IP 192.168.0.188.1066 > 10.0.0.13.21: S 2974719318:2974719318(0) win 65535 <mss 1460,nop,nop,sackOK>
08:47:37.670165 IP 10.0.0.13.21 > 192.168.0.188.1066: S 3170196575:3170196575(0) ack 2974719319 win 5840 <mss 1460,nop,nop,sackOK>

因此强烈建议你确认 cat /proc/sys/net/ipv4/ip_forward的结果是1吗?

[ 本帖最后由 qtdszws 于 2007-5-16 09:42 编辑 ]

作者: skywh_2001 时间: 2007-05-16 09:35
两块独立的网卡
两个HUB分别建起的内外网
客户端（192.168.0.188）gw（192.168.0.24）－－》HUB1－－》VS的eth1（192.168.0.24）
VS的eth0（10.0.0.1）－－》HUB2－－》RS（10.0.0.11－13）gw（10.0.0.1）

在VS上 cat /proc/sys/net/ipv4/ip_forward 的结果是1
我在启动时修改后，默认为1

[ 本帖最后由 skywh_2001 于 2007-5-16 09:37 编辑 ]

作者: skywh_2001 时间: 2007-05-16 09:43
是不是RS上的 /proc/sys/net/ipv4/ip_forward
也要改为1？？？

作者: qtdszws 时间: 2007-05-16 09:44
>>是不是RS上的 /proc/sys/net/ipv4/ip_forward
不需要

vs上
1.iptables -L -vn的结果
2.netstat -rCn的结果

作者: skywh_2001 时间: 2007-05-16 09:51
[root@localhost ~]# iptables -L-vn
iptables: No chain/target/match by that name
[root@localhost ~]# netstat -rCn
Kernel IP routing cache
Source Destination Gateway Flags MSS Window irtt Iface
192.168.0.188 192.168.0.255 192.168.0.255 bl 0 0 0 lo

重新启动iptables服务后
[root@localhost ~]# iptables -L-vn
iptables: No chain/target/match by that name

对了，iptables不是已经停止服务了吗？

[ 本帖最后由 skywh_2001 于 2007-5-16 09:56 编辑 ]

作者: qtdszws 时间: 2007-05-16 09:58
1.iptables -L -vn中间有空格
2.netstat -rCn的结果是你从客户端开始刷新连接的几秒中后的结果

作者: skywh_2001 时间: 2007-05-16 10:03
[root@localhost ~]# iptables -L -vn
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target    prot opt in    out    source             destination
2 478 RH-Firewall-1-INPUT  all  --  *    *    0.0.0.0/0          0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target    prot opt in    out    source             destination
0    0 RH-Firewall-1-INPUT  all  --  *    *    0.0.0.0/0          0.0.0.0/0

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target    prot opt in    out    source             destination

Chain RH-Firewall-1-INPUT (2 references)
pkts bytes target    prot opt in    out    source             destination
0    0 ACCEPT    all  --  lo    *    0.0.0.0/0          0.0.0.0/0
0    0 ACCEPT    icmp --  *    *    0.0.0.0/0          0.0.0.0/0          icmp type 255
0    0 ACCEPT    esp  --  *    *    0.0.0.0/0          0.0.0.0/0
0    0 ACCEPT    ah --  *    *    0.0.0.0/0          0.0.0.0/0
0    0 ACCEPT    udp  --  *    *    0.0.0.0/0          224.0.0.251       udp dpt:5353
0    0 ACCEPT    udp  --  *    *    0.0.0.0/0          0.0.0.0/0          udp dpt:631
0    0 ACCEPT    tcp  --  *    *    0.0.0.0/0          0.0.0.0/0          tcp dpt:631
0    0 ACCEPT    all  --  *    *    0.0.0.0/0          0.0.0.0/0          state RELATED,ESTABLISHED
0    0 ACCEPT    tcp  --  *    *    0.0.0.0/0          0.0.0.0/0          state NEW tcp dpt:21
0    0 ACCEPT    tcp  --  *    *    0.0.0.0/0          0.0.0.0/0          state NEW tcp dpt:22
0    0 ACCEPT    tcp  --  *    *    0.0.0.0/0          0.0.0.0/0          state NEW tcp dpt:443
0    0 ACCEPT    tcp  --  *    *    0.0.0.0/0          0.0.0.0/0          state NEW tcp dpt:23
0    0 ACCEPT    tcp  --  *    *    0.0.0.0/0          0.0.0.0/0          state NEW tcp dpt:80
2 478 REJECT    all  --  *    *    0.0.0.0/0          0.0.0.0/0          reject-with icmp-host-prohibited
[root@localhost ~]# netstat -rCn
Kernel IP routing cache
Source       Destination    Gateway       Flags MSS Window  irtt Iface
10.0.0.12    10.0.0.1       10.0.0.1       il       0 0       0 lo
10.0.0.1       10.0.0.12    10.0.0.12             1500 0       0 eth0
10.0.0.13    10.0.0.1       10.0.0.1       il       0 0       0 lo
10.0.0.13    192.168.0.188 192.168.0.188 i    1500 0       0 eth1
192.168.0.188 192.168.0.24 192.168.0.24 l       0 0       0 lo
192.168.0.188 192.168.0.255 192.168.0.255 bl       0 0       0 lo
10.0.0.12    192.168.0.188 192.168.0.188 i    1500 0       0 eth1
10.0.0.1       10.0.0.13    10.0.0.13             1500 0       0 eth0

作者: qtdszws 时间: 2007-05-16 10:48
有从 rs->client的路由
10.0.0.12 192.168.0.188 192.168.0.188 i 1500 0 0 eth1

那么应答包就应该返回给client了

在eth1看看
tcpudmp -i eth1 -nnn 'tcp and src port 21'

作者: skywh_2001 时间: 2007-05-16 15:13
在eth1看看 tcpdump -i eth1 -nnn 'tcp and src port 21'
除了tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
没有其他如何输出

为什么要关闭所有机器的iptables？？

[ 本帖最后由 skywh_2001 于 2007-5-16 15:24 编辑 ]

作者: qtdszws 时间: 2007-05-16 15:41
>>为什么要关闭所有机器的iptables？？
怕有干扰

>>没有其他如何输出
这就怪了，照理数据应该返回给客户端了.我想不出有什么地方出了问题

执行以下
dmesg -c
iptables -A FORWARD -p tcp --sport 21 -j LOG --log-prefix FORWARD
iptables -t nat -A POSTROUTING -p tcp --sport 21 -j LOG --log-prefix POSTROUTING

客户端刷新以下，dmesg看看结果

作者: dingxincai 时间: 2007-05-16 16:46
你试过在防火墙上给ftp打标记吗

作者: dingxincai 时间: 2007-05-16 17:02
你把realserver先做成web server 做一下测试，看nat是不是能正常工作，然后在加入ftpserver,
实现ftp的lvs－nat，需要在防火墙上给ftp打标记

作者: skywh_2001 时间: 2007-05-16 17:12
这是我在VS上的监测
[root@localhost ~]# tcpdump -i eth1 -nnn 'tcp and src port 21'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
16:18:28.886559 IP 192.168.0.24.21 > 192.168.0.188.1147: S 1668927168:1668927168(0) ack 1886514398 win 5840 <mss 1460,nop,nop,sackOK>
16:18:28.888245 IP 192.168.0.24.21 > 192.168.0.188.1147: P 1:29(2

ack 1 win 5840
16:18:28.888468 IP 192.168.0.24.21 > 192.168.0.188.1147: F 29:29(0) ack 1 win 5840
16:18:35.073192 IP 192.168.0.24.21 > 192.168.0.188.1148: S 1659958277:1659958277(0) ack 719216676 win 5840 <mss 1460,nop,nop,sackOK>
16:18:35.074975 IP 192.168.0.24.21 > 192.168.0.188.1148: P 1:29(2

ack 1 win 5840
16:18:35.075344 IP 192.168.0.24.21 > 192.168.0.188.1148: F 29:29(0) ack 1 win 5840
16:18:37.697668 IP 192.168.0.24.21 > 192.168.0.188.1149: S 1672675050:1672675050(0) ack 3575207895 win 5840 <mss 1460,nop,nop,sackOK>
16:18:37.699945 IP 192.168.0.24.21 > 192.168.0.188.1149: P 1:29(2

ack 1 win 5840
16:18:37.700375 IP 192.168.0.24.21 > 192.168.0.188.1149: F 29:29(0) ack 1 win 5840

[root@localhost netfilter]# tcpdump -i eth0 -nnn 'tcp and port 21'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
16:18:28.886449 IP 192.168.0.188.1147 > 10.0.0.13.21: S 1886514397:1886514397(0) win 65535 <mss 1460,nop,nop,sackOK>
16:18:28.886545 IP 10.0.0.13.21 > 192.168.0.188.1147: S 1668927168:1668927168(0) ack 1886514398 win 5840 <mss 1460,nop,nop,sackOK>
16:18:28.886658 IP 192.168.0.188.1147 > 10.0.0.13.21: . ack 1 win 65535
16:18:28.888215 IP 10.0.0.13.21 > 192.168.0.188.1147: P 1:29(2

ack 1 win 5840
16:18:28.888453 IP 10.0.0.13.21 > 192.168.0.188.1147: F 29:29(0) ack 1 win 5840
16:18:28.888576 IP 192.168.0.188.1147 > 10.0.0.13.21: . ack 30 win 65507
16:18:28.890920 IP 192.168.0.188.1147 > 10.0.0.13.21: R 1:1(0) ack 30 win 0
16:18:35.073046 IP 192.168.0.188.1148 > 10.0.0.12.21: S 719216675:719216675(0) win 65535 <mss 1460,nop,nop,sackOK>
16:18:35.073177 IP 10.0.0.12.21 > 192.168.0.188.1148: S 1659958277:1659958277(0) ack 719216676 win 5840 <mss 1460,nop,nop,sackOK>
16:18:35.073327 IP 192.168.0.188.1148 > 10.0.0.12.21: . ack 1 win 65535
16:18:35.074962 IP 10.0.0.12.21 > 192.168.0.188.1148: P 1:29(2

ack 1 win 5840
16:18:35.075332 IP 10.0.0.12.21 > 192.168.0.188.1148: F 29:29(0) ack 1 win 5840
16:18:35.075460 IP 192.168.0.188.1148 > 10.0.0.12.21: . ack 30 win 65507
16:18:35.077574 IP 192.168.0.188.1148 > 10.0.0.12.21: R 1:1(0) ack 30 win 0
16:18:37.697493 IP 192.168.0.188.1149 > 10.0.0.11.21: S 3575207894:3575207894(0) win 65535 <mss 1460,nop,nop,sackOK>
16:18:37.697652 IP 10.0.0.11.21 > 192.168.0.188.1149: S 1672675050:1672675050(0) ack 3575207895 win 5840 <mss 1460,nop,nop,sackOK>
16:18:37.697780 IP 192.168.0.188.1149 > 10.0.0.11.21: . ack 1 win 65535
16:18:37.699922 IP 10.0.0.11.21 > 192.168.0.188.1149: P 1:29(2

ack 1 win 5840
16:18:37.700363 IP 10.0.0.11.21 > 192.168.0.188.1149: F 29:29(0) ack 1 win 5840
16:18:37.700476 IP 192.168.0.188.1149 > 10.0.0.11.21: . ack 30 win 65507
16:18:37.702508 IP 192.168.0.188.1149 > 10.0.0.11.21: R 1:1(0) ack 30 win 0
希望高手重新看一下

作者: dingxincai 时间: 2007-05-16 17:18
有关ftp－lvs－nat可以参考：
https://www.redhat.com/docs/manu ... 1-lvs-overview.html

作者: dingxincai 时间: 2007-05-16 17:21
这是ftp请求的包呀，可是没有回复的包呀

作者: qtdszws 时间: 2007-05-16 17:21
你这不是正常了吗?有请求和响应。

你是怎么搞通的?

你可以先用web服务测试,ftp有点复杂。

[ 本帖最后由 qtdszws 于 2007-5-16 17:26 编辑 ]

作者: dingxincai 时间: 2007-05-16 17:27
把你的lvs.xml 贴出来看看

作者: skywh_2001 时间: 2007-05-16 20:19
RS的结果之一：
[root@localhost ~]# tcpdump -i eth0 -nnn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
16:18:23.101091 IP 192.168.0.188.1148 > 10.0.0.12.21: S 719216675:719216675(0) win 65535 <mss 1460,nop,nop,sackOK>
16:18:23.101189 IP 10.0.0.12.21 > 192.168.0.188.1148: S 1659958277:1659958277(0) ack 719216676 win 5840 <mss 1460,nop,nop,sackOK>
16:18:23.101276 IP 192.168.0.188.1148 > 10.0.0.12.21: . ack 1 win 65535
16:18:23.102839 IP 10.0.0.12.21 > 192.168.0.188.1148: P 1:29(2

ack 1 win 5840
16:18:23.103220 IP 10.0.0.12.21 > 192.168.0.188.1148: F 29:29(0) ack 1 win 5840
16:18:23.103411 IP 192.168.0.188.1148 > 10.0.0.12.21: . ack 30 win 65507
16:18:23.105523 IP 192.168.0.188.1148 > 10.0.0.12.21: R 1:1(0) ack 30 win 0
16:18:28.103366 arp who-has 10.0.0.12 tell 10.0.0.1
16:18:28.103381 arp reply 10.0.0.12 is-at 00:19:5b:69:d0:6f

客户端的结果：
C:\Documents and Settings\skywh>ftp 192.168.0.24
Connected to 192.168.0.24.
421 Service not available.
Connection closed by remote host.
为什么客户端还是没有结果？

搞定了。客户端终于正常了。
由于192.168.0.网段在RS上的ftp服务被禁止了，所以……
但是我在配置时都已经，设置好了。不知后来怎么被改掉了。
看来以后要小心、仔细了。

谢谢各位的帮助！
尤其感谢qtdszws（异次元空间）的帮助！

[ 本帖最后由 skywh_2001 于 2007-5-17 07:41 编辑 ]

作者: qtdszws 时间: 2007-05-17 08:49
不客气，替你高兴,不过我还在疑惑，

1.前面你在eth0为何能看到vs->client的包?
2.为何应答包不能通过vs返回，而后来又可以了?

作者: skywh_2001 时间: 2007-05-17 18:49
呵呵，自己太大意了，前几天同学玩游戏时
把网线改了。自己没仔细检查。后来因为客户端ping不通VS 才发现问题。
实在是让你费心了。

非常感谢！
自己敲了个警钟！希望大家不要向我一样。

欢迎光临 Chinaunix (http://bbs.chinaunix.net/)