|
/
Zope
/
Apsis
/
Pound Mailing List
/
Archive
/
2011
/
2011-08
/
How to force outgoing IP ?
[
Is apsis.ch site down? / Francisco Ruiz ... ]
[
Pound DNS and TCP Proxy / Load Balancing / Mark ... ]
How to force outgoing IP ?
Morgan Cox <morgancoxuk(at)gmail.com> |
2011-08-05 15:55:14 |
[ FULL ]
|
Hi.
I'm sort of assuming im going to use IPTABLES on the pound server but
thought I would ask if there is something in pound that can do this...
We have a setup where pound is load balancing a few web servers - each web
server has a LAN IP and an external IP.
When I check the IP from any of the web servers it appears to be using one
of the external IP's at random ...
Is it possible to force outgoing connections from the load balanced server
to come from one IP (i.e the IP of the pound server) ?
Any advice would we welcomed.
Regards
|
|
|
|
|
Re: [Pound Mailing List] How to force outgoing IP ?
Dave Steinberg <dave(at)redterror.net> |
2011-08-05 18:39:01 |
[ FULL ]
|
On 8/5/2011 9:55 AM, Morgan Cox wrote:[...]
Setup Listen directives for each IP your load balancer uses, instead of
using 0.0.0.0. If I've guessed wrong and you're not using 0.0.0.0,
please post your config.
Regards,[...]
|
|
|
Re: [Pound Mailing List] How to force outgoing IP ?
Morgan Cox <morgancoxuk(at)gmail.com> |
2011-08-30 10:43:58 |
[ FULL ]
|
Hi
Sorry for the delay in this.
Here is my pound.cfg - I have obscured IP/ domain names for security
reasons...
I am not using 0.0.0.0 ...
----------------------------------------------------------------------------------------
## Minimal sample pound.cfg
##
## see pound(8) for details
######################################################################
## global options:
User "root"
Group "root"
#RootJail "/chroot/pound"
## Logging: (goes to syslog by default)
## 0 no logging
## 1 normal
## 2 extended
## 3 Apache-style (common log format)
LogLevel 3
## check backend every X secs:
Alive 30
## use hardware-accelleration card supported by openssl(1):
#SSLEngine "<hw>"
######################################################################
## listen, redirect and ... to:
## redirect all requests on port 8080 ("ListenHTTP") to the local webserver
(see "Service" below):
ListenHTTP
Address xxx.xxx.175.61
Port 80
## allow PUT and DELETE also (by default only GET, POST and HEAD)?:
xHTTP 0
Service
HeadRequire "Host: www.xxxxxxx.com"
Redirect "https://www.xxxxxxx.com"
End
Service
HeadRequire "Host: xxxxxxx.com"
Redirect "https://xxxxxxx.com"
End
End
ListenHTTPS
Address xxx.xxx.175.61
Port 443
Cert "/etc/pound/xxxxxxx.xxxxxxx.com.pem"
End
ListenHTTP
Address xxx.xxx.175.135
Port 80
## allow PUT and DELETE also (by default only GET, POST and HEAD)?:
xHTTP 0
End
ListenHTTPS
Address xxx.xxx.175.135
Port 443
Cert "/etc/pound/www.xxxxxxx.xxxxxxx.com.pem"
End
ListenHTTPS
Address xxx.xxx.175.17
Port 443
Cert "/etc/pound/admin.txxxxxxxxxxxxxxx.com.pem"
End
ListenHTTPS
Address xxx.xxx.175.195
Port 443
Cert "/etc/pound/adminstg.txxxxxxxxxxxxxxx.com.pem"
End
ListenHTTPS
Address xxx.xxx.175.196
Port 443
Cert "/etc/pound/sso.txxxxxxxxxxxxxxx.com.pem"
End
ListenHTTPS
Address xxx.xxx.175.77
Port 443
Cert "/etc/pound/ssostg.txxxxxxxxxxxxxxx.com.pem"
End
ListenHTTPS
Address xxx.xxx.175.116
Port 443
Cert
"/etc/pound/xxxxxxxxxxxxxxx.xxxxxxxxxxxxxxx.xxxxxxxxxxxxxxx.xxxxxxxxxxxxxxx.co.uk.pem"
VerifyList "/etc/pound/rapid_ssl_CA.pem"
End
ListenHTTP
Address xxx.xxx.175.116
Port 80
## allow PUT and DELETE also (by default only GET, POST and HEAD)?:
xHTTP 0
End
ListenHTTPS
Address xxx.xxx.175.216
Port 443
Cert "/etc/pound/instoreuatssl.xxxx.xxx.xxx.co.uk.pem"
VerifyList "/etc/pound/rapid_ssl_CA.pem"
End
ListenHTTP
Address xxx.xxx.175.216
Port 80
## allow PUT and DELETE also (by default only GET, POST and HEAD)?:
xHTTP 0
End
ListenHTTPS
Address xxx.xxx.174.64
Port 443
Cert
"/etc/pound/agentuatssl.broadband.xxxxxx.xxxxxxig3.co.uk.pem"
VerifyList "/etc/pound/rapid_ssl_CA.pem"
End
ListenHTTP
Address xxx.xxx.174.64
Port 80
## allow PUT and DELETE also (by default only GET, POST and HEAD)?:
xHTTP 0
End
Service
BackEnd
Address 192.168.0.2
TimeOut 240
Port 80
Priority 3
End
BackEnd
Address 192.168.0.3
TimeOut 240
Port 80
Priority 3
End
Session
Type IP
TTL 12000
End
End
----------------------------------------------------------------------------------------
Also if it helps the pound server has these iptables rules..
------------------------------------------------------------------
#!/bin/bash
iptables -F
iptables -F -t nat
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface eth1 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 21 -j DNAT --to
192.168.0.2:21
iptables -A FORWARD -p tcp -i eth0 -d 192.168.0.2 --dport 21 -j ACCEPT
iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 20 -j DNAT --to
192.168.0.2:20
iptables -A FORWARD -p tcp -i eth0 -d 192.168.0.2 --dport 20 -j ACCEPT
## For the win
## Ossec test
#iptables -A PREROUTING -t nat -p udp -i eth0 --dport 514 -j DNAT --to
192.168.0.2:514
#iptables -A FORWARD -p udp -i eth0 -d 192.168.0.2 --dport 514 -j ACCEPT
#iptables -A PREROUTING -t nat -p udp -i eth0 --dport 1514 -j DNAT --to
192.168.0.2:1514
#iptables -A FORWARD -p udp -i eth0 -d 192.168.0.2 --dport 1514 -j ACCEPT
iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 60000:65534 -j DNAT
--to 192.168.0.2
iptables -A FORWARD -p tcp -i eth0 -m state --state NEW --dport 60000:65534
-j ACCEPT
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 3389 -j DNAT --to
192.168.0.2:3389
iptables -A INPUT -p tcp -m state --state NEW --dport 3389 -i eth0 -j ACCEPT
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 84 -j DNAT --to
192.168.0.2:80
iptables -A INPUT -p tcp -m state --state NEW --dport 84 -i eth0 -j ACCEPT
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 85 -j DNAT --to
192.168.0.3:80
iptables -A INPUT -p tcp -m state --state NEW --dport 85 -i eth0 -j ACCEPT
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 20014 -j DNAT --to
192.168.0.2:20014
iptables -A INPUT -p tcp -m state --state NEW --dport 20014 -i eth0 -j
ACCEPT
#Backups
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 873 -j DNAT --to
192.168.0.2:873
iptables -A INPUT -p tcp -m state --state NEW --dport 873 -i eth0 -j ACCEPT
# R1Soft
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 1168 -j DNAT --to
192.168.0.2:1168
iptables -A INPUT -p tcp -m state --state NEW --dport 1168 -i eth0 -j ACCEPT
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 1169 -j DNAT --to
192.168.0.3:1169
iptables -A INPUT -p tcp -m state --state NEW --dport 1169 -i eth0 -j ACCEPT
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 1170 -j DNAT --to
192.168.0.4:1170
iptables -A INPUT -p tcp -m state --state NEW --dport 1170 -i eth0 -j ACCEPT
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 1171 -j DNAT --to
192.168.0.5:1171
iptables -A INPUT -p tcp -m state --state NEW --dport 1171 -i eth0 -j ACCEPT
------------------------------------------------------------------
Any help with this would to good.
Thank you
Regards.
|
|
|
|
|
Re: [Pound Mailing List] How to force outgoing IP ?
Dave Steinberg <dave(at)redterror.net> |
2011-08-30 16:18:37 |
[ FULL ]
|
On 8/30/2011 4:43 AM, Morgan Cox wrote:[...]
<snip> - Your config looks fine to me.
[...]
<snip> - None of those iptables rules seems to touch port 80/443, so
they shouldn't affect anything.
Taking a step back - my understanding of TCP is that if a connection is
initiated by an external host to a particular IP (say to a.b.175.61 from
your config), then the reply will *always* come from a.b.175.61.
Otherwise the initiating host will drop the packet. The only exception
is if you had a router performing a redirect or NAT ahead of this, and
so it would then modify the outbound packets in some way to preserve
normal TCP semantics.
In short, I don't think this is a pound issue - it's something else with
your network or OS-level networking settings.
Regards,[...]
|
|
|
RE: [Pound Mailing List] How to force outgoing IP ?
Joe Gooch <mrwizard(at)k12system.com> |
2011-08-30 16:44:39 |
[ FULL ]
|
I think you have a default gateway issue.
But I have a couple questions.
1) Why do your web servers have two ips? What’s the external IP used for?
2) What type of outbound connections do your webservers make? Usually web
would be incoming only.
I agree with Dave… This is likely not a pound issue. More likely an issue with
routing/NAT.
Joe
From: Morgan Cox [mailto:morgancoxuk(at)gmail.com]
Sent: Friday, August 05, 2011 9:55 AM
To: pound(at)apsis.ch
Subject: [Pound Mailing List] How to force outgoing IP ?
Hi.
I'm sort of assuming im going to use IPTABLES on the pound server but thought I
would ask if there is something in pound that can do this...
We have a setup where pound is load balancing a few web servers - each web
server has a LAN IP and an external IP.
When I check the IP from any of the web servers it appears to be using one of
the external IP's at random ...
Is it possible to force outgoing connections from the load balanced server to
come from one IP (i.e the IP of the pound server) ?
Any advice would we welcomed.
Regards
|
|
|
|
|
|
