[Linux-HA] Setting Source IP for outgoing traffic?

Timothy Meader Timothy.Meader at gsfc.nasa.gov
Thu Oct 25 11:08:25 MDT 2007

>From: Dejan Muhamedagic <dejanmm at fastmail.fm>
>Subject: Re: [Linux-HA] Setting Source IP for outgoing traffic?
>To: General Linux-HA mailing list <linux-ha at lists.linux-ha.org>
>Message-ID: <20071025104536.GA7013 at rondo.suse.de>
>Content-Type: text/plain; charset=us-ascii
>On Wed, Oct 24, 2007 at 10:55:10PM -0400, Timothy Meader wrote:
> > Hello, I'm having an issue that I'm hoping someone could provide me
> > some help on. To give a brief synopsis of the situation:
> >
> > We originally had a single server setup running OSSEC. Last week, we
> > decided to combine this server with another two that were running as
> > a simple log server (in high availability fail-over mode using
> > heartbeat) to make better use of the existing systems. The log server
> > portion is running on the virtual IP xxx.xxx.xxx.7 on eth0:0, the
> > OSSEC server is setup to run on a secondary virtual IP,
> > xxx.xxx.xxx.29, on eth0:1. When running on a single server, OSSEC
> > worked fine. But now, the clients refuse to communicate properly with
> > the server.
> >
> > Using tcpdump, I tracked this communications problem down to the fact
> > that the server response from OSSEC in the high availability setup is
> > going back to the client with the ACTUAL address of eth0
> > (xxx.xxx.xxx.17 or 18 depending on which of the two high-avail nodes
> > it's currently running on). What I need is for the server response to
> > come back to the client with the xxx.xxx.xxx.29 address as the
> > source. I've investigated the "IPsrcaddr" script that comes with
> > heartbeat, but unfortunately there are two issues that preclude me
> > from using it, so I'm looking to iptables for a means to handle this.
>Why is it that you cannot use it? Could it be modified to fit?

Thanks for the reply. I've moved the OSSEC server to now use the same 
virtual IP as the logging/NFS portion (x.x.x.7), so that hopefully 
will make things slightly easier. This is doable presnetly because we 
haven't deployed the OSSEC clients to any nodes outside our local 
network yet, so it's relatively trivial for us at this stage to 
change the OSSEC server address locally on each node's conf file. The 
reason I can't use the IPsrcaddr script though (which I've seemingly 
verified just now after testing), is that it doesn't seem to work for 
any machines on the local subnet. We have about 20 nodes reporting in 
to the OSSEC server currently, all on the same /26 range as the HA 
server. For these machines, the following setup in the haresources 
file doesn't seem to work properly (the traffic is still going out to 
the clients on x.17 or x.18). Any further suggestions?

open-logger-1.my.domain IPaddr::xxx.xxx.xxx.7/26/eth0 
IPsrcaddr::xxx.xxx.xxx.7 drbddisk::syslogs Filesystem::/dev/drbd0
::/log::ext3 syslog-ng portmap nfs nfslock ossec httpd


Tim Meader
L-3 Communications, NASA EOS Security Operations
Timothy.Meader at gsfc.nasa.gov
(301) 614-6371  

More information about the Linux-HA mailing list