Quoting David Dyer-Bennet dd-b@dd-b.net:
I've got small numbers of connections moving through a load balancer configured in NAT mode. So I've got an iptables table called "nat", which has in it a line "-A POSTROUTING -o eth0 -j MASQUERADE" (lan connect is eth0, private lan inside the cluster is eth1).
The load balancer is working; connections made to the virtual ip on that host do get routed to one of the real servers behind this load load balancer.
But I want to observe the connections on the load balancer.
My first attempt was to use netstat with the --masquerade switch. This produced the result "netstat: no support for `ip_masquerade' on this system." Consistent with this, there is no /proc/net/ip_masquerade.
On the other hand, the load balancer *IS* working; those connections *are* getting NATted and routed.
Also, lsmod shows varous relevant modules loaded: iptable_nat 40773 1 ip_nat 53101 2 ipt_MASQUERADE,iptable_nat ip_conntrack 91237 5 xt_state,ip_conntrack_netbios_ns,ipt_MASQUERADE,iptable_nat,ip_nat nfnetlink 40457 2 ip_nat,ip_conntrack ip_tables 55329 2 iptable_filter,iptable_nat x_tables 50377 7
xt_state,ipt_REJECT,xt_tcpudp,ipt_MASQUERADE,xt_multiport,iptable_nat,ip_tables
So, netstat just isn't somehow the right monitoring tool, right? So what is the right monitoring tool? I need to know the source IP and real-server IP of connections being handled by the load balancer. I don't need a lot showing exactly how each one was handled, but I'd like to be able to determine the state of any connection currently active. How can I do this?
ipvsadm -L -c -n should do the trick. Also, you shouldn't need that MASQ rule unless you need to MASQ traffic originating from inside your private network. LVS handles all LVS related NATing.
Be careful .. you must use the lower case 'c' in this command as the uppercase 'C' will CLEAR your ipvs table and break things.
Hope this helps.
Barry