[CentOS] Monitoring IP masquerading on LVS load-balancing

Wed Mar 25 22:40:46 UTC 2009
Barry Brimer <lists at brimer.org>

Quoting David Dyer-Bennet <dd-b at dd-b.net>:

> I've got small numbers of connections moving through a load balancer
> configured in NAT mode.  So I've got an iptables table called "nat", which
> has in it a line "-A POSTROUTING -o eth0 -j MASQUERADE" (lan connect is
> eth0, private lan inside the cluster is eth1).
>
> The load balancer is working; connections made to the virtual ip on that
> host do get routed to one of the real servers behind this load load
> balancer.
>
> But I want to observe the connections on the load balancer.
>
> My first attempt was to use netstat with the --masquerade switch.  This
> produced the result "netstat: no support for `ip_masquerade' on this
> system."  Consistent with this, there is no /proc/net/ip_masquerade.
>
> On the other hand, the load balancer *IS* working; those connections *are*
> getting NATted and routed.
>
> Also, lsmod shows varous relevant modules loaded:
> iptable_nat            40773  1
> ip_nat                 53101  2 ipt_MASQUERADE,iptable_nat
> ip_conntrack           91237  5
> xt_state,ip_conntrack_netbios_ns,ipt_MASQUERADE,iptable_nat,ip_nat
> nfnetlink              40457  2 ip_nat,ip_conntrack
> ip_tables              55329  2 iptable_filter,iptable_nat
> x_tables               50377  7
>
xt_state,ipt_REJECT,xt_tcpudp,ipt_MASQUERADE,xt_multiport,iptable_nat,ip_tables
>
> So, netstat just isn't somehow the right monitoring tool, right?  So what
> is the right monitoring tool?  I need to know the source IP and
> real-server IP of connections being handled by the load balancer.  I don't
> need a lot showing exactly how each one was handled, but I'd like to be
> able to determine the state of any connection currently active.  How can I
> do this?

ipvsadm -L -c -n should do the trick.  Also, you shouldn't need that MASQ rule
unless you need to MASQ traffic originating from inside your private network. 
LVS handles all LVS related NATing.

Be careful .. you must use the lower case 'c' in this command as the uppercase
'C' will CLEAR your ipvs table and break things.

Hope this helps.

Barry