[CentOS] Transparent proxy with LVS

Tue Apr 27 18:22:20 UTC 2010
Enrique Verdes <EVerdes at conatel.com.uy>

I've managed to configure a LVS Cluster to act as a transparent proxy
squid farm, with a virtual server as load balancer, and three real
servers. Because redirecting packets going to port 80 to port 3128 of
squid in the load balancer doesn't works, the solution has a mix of ip
route and iptables.

Here is the script I wrote to configure transparent proxy.

#!/bin/bash
#Transparent proxy configuration
#Variables
VIP=192.168.18.10
WEB=80
SRV01=192.168.18.40
SRV02=192.168.18.41
SRV03=192.168.18.42

#Packet marking
iptables -t mangle -F
iptables -t mangle -A PREROUTING -p tcp --dport $WEB --dst ! $VIP -j
MARK --set-mark 2

#Routing table creation
if [ $(grep -sq 'www\.out' /etc/iproute2/rt_tables) ]; then
	echo "Table exists"
else
	echo "202 www.out" >> /etc/iproute2/rt_tables
fi

#Clean tables and rules
ip rule del prio 100 fwmark 2 table www.out
ip route flush table www.out

#Routing of marked packets
ip rule add prio 100 fwmark 2 table www.out
ip route add table www.out to local 0/0 dev lo
ip route flush cache

#ipvsadm rules
ipvsadm -A --fwmark-service 2
ipvsadm -a --fwmark-service 2 --real-server $SRV01 --gatewaying
ipvsadm -a --fwmark-service 2 --real-server $SRV02 --gatewaying
ipvsadm -a --fwmark-service 2 --real-server $SRV03 --gatewaying

As you can see, I mark all packets not directed to the virtual server
itself, to port 80 with 2, and then route all those marked packets to
the loopback interface.

With ipvsadm I forward the marked packets to the real servers. In the
real servers there's a rule in the prerouting chain to redirect those
packets to port 3128

I'm using pulse service to start lvs, and would like to add the ipvsadm
rules to the /etc/sysconfig/ha/lvs.cf, so they are issued by pulse at
startup. I can't figure out how to do it. When I try to start pulse, it
fails because i left the address field empty. But this service is not
tied to any address, I just want the fwmark match to forward the packets
to the real servers. I also have dns in this lvs cluster. 

Any suggestion about how I can add my ipvsad rules to the lvs.cf file?
-- 
Enrique Verdes <EVerdes at conatel.com.uy>
Depto. de Ingeniería - CONATEL S.A.


Este mensaje es privado y confidencial y tiene como único destinatario la persona a la que va dirigida. La responsabilidad de su contenido es del remitente y no de CONATEL. Si usted ha recibido este mensaje por error, tenga presente que le está prohibido revelarlo, copiarlo o distribuirlo, debiendo avisar de inmediato al remitente y borrarlo de su sistema. El error de transmisión no implica renuncia a la privacidad y confidencialidad.

This email is private and confidential and intended solely for the use of the individual to whom it is addressed. The responsibility of its content is the sender's and not CONATEL'S. If you have received this email by mistake please notify the sender immediately and delete it from your system. Its disclosure, copy or distribution is absolutely forbidden. The transmission error does not imply a waiver of privacy and confidentiality.