troublesome load balancing and iptables to the rescue...maybe
Pascal Hambourg
pascal.mail at plouf.fr.eu.org
Wed Jun 28 13:44:23 CEST 2006
Admin a écrit :
>
> So for example - assuming 192.168.1.0/24 as the servers_subnet (ignore that
> this is private address space)
>
> realServerA=192.168.1.10
> realServerB=192.168.1.11
> VIP=192.168.1.1
>
> the procedure would be:
> o Compile the kernel with iptables support plus...
> * IP: advanced router
> * IP: policy routing
> * IP: use netfilter MARK value as routing key
Right, I always forget these functions are optional...
> echo '80 web' >> /etc/iproute2/rt_tables
> iptables -t mangle -A OUTPUT -d 192.168.1.0/24 -p tcp --sport 80 \
> -m state --state ESTABLISHED -j MARK --set-mark 200
> ip rule add fwmark 200 lookup web
> ip route add default via 192.168.1.1 table web
>
> With that applied, then a server running on port 80 on 192.168.1.10 should be
> able to access the service on the vip on 192.168.1.1, which will get directed
> back to 192.168.1.10 or 192.168.1.11. That request should then be returned to
> the client on 192.168.1.10
Oops, I just realized that for several reasons it won't work when the
alteon redirects a connection to the same server.
> It doesn't work yet (I'm still examining the packet dumps to try to work out
> why)
Ok. Check the packet MAC addresses on both servers.
> Added a mark log to check on the match
> iptables -t mangle -A OUTPUT -m mark --mark 200 -j LOG \
> --log-level DEBUG --log-prefix "fwmark 200: "
>
> which show's the traffic from the health checks that come in from the alteon,
Huh ? This rule is in the OUTPUT chain, so it shouldn't log incoming
packets from the alteon.
> and presumably the traffic from the real server to the vip when I try to make
> that connection.
Rather the return traffic from the target server to the source server.
More information about the netfilter
mailing list