NOVELL FORUMS

caruthers · #1 15-Oct-2009, 02:46 PM

Trying to set up LVS to route ssh to a group a systems.

On the LVS server, I have:
eth0=192.168.18.108/255.255.0.0
eth0:1=192.168.19.254/355.355.0.0
eth1=PUBLIC_IP/255.255.254.0
eth2=LVS_PUBLIC_IP/255.255.254.0

On the internal machines:
eth0=192.168.19.43-48/255.255.255.0 default route is 192.168.19.254

With the firewall off, LVS works exactly as it should. When I turn the firewall on, I see the following in the firewall log:

Oct 15 15:15:10 lvs-one kernel: SFW2-FWDint-DROP-DEFLT-INV IN=eth0 OUT=eth1 SRC=192.168.19.44 DST=CLIENT_PUBLIC_IP LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=250 DPT=16160 WINDOW=5792 RES=0x00 ACK SYN URGP=0 OPT (020405B40402080A02E1F740079B194F01030302)

Using tcpdump, without the firewall, I see:
CLIENT.ssh > LVS_PUBLIC_IP.ssh
CLIENT.ssh > 192.168.19.43.ssh
192.168.19.43.ssh > CLIENT.ssh
LVS_PUBLIC_IP.ssh > CLIENT.ssh

When I turn on the firewall, I get:
CLIENT.ssh > LVS_PUBLIC_IP.ssh
CLIENT.ssh > 192.168.19.43.ssh
192.168.19.43.ssh > CLIENT.ssh
... And it times out.

/etc/sysconfig/SuSEfirewall2 shows:
FW_DEV_EXT="any"
FW_DEV_INT="eth0"
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_DEV="$FW_DEV_EXT"
FW_MASQ_NETS="192.168.0.0/16"
FW_PROTECT_FROM_INT="no"
FW_SERVICES_EXT_TCP="smtp ssh"
FW_SERVICES_INT_TCP="250"
FW_SERVICES_REJECT_EXT="0/0,tcp,113"
FW_TRUSTED_NETS="192.168.0.0/16"
FW_ALLOW_INCOMING_HIGHPORTS_TCP="no"
FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="no"
FW_LOG_ACCEPT_CRIT="yes"
FW_LOG_ACCEPT_ALL="no"
FW_KERNEL_SECURITY="yes"
FW_STOP_KEEP_ROUTING_STATE="yes"
FW_ALLOW_PING_FW="yes"
FW_ALLOW_PING_DMZ="no"
FW_ALLOW_PING_EXT="yes"
FW_IGNORE_FW_BROADCAST_EXT="yes"
FW_IGNORE_FW_BROADCAST_INT="no"
FW_IGNORE_FW_BROADCAST_DMZ="no"
FW_IPSEC_TRUST="no"

I also manually added:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

I've also tried adding:
iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE

iptables -t nat -L returns:
Chain PREROUTING (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

I'm pretty well stumped.