Load Balancers and conn_track
gtaylor at riverviewtech.net
Thu Apr 14 01:59:03 CEST 2005
> If I have two servers (say web servers) located behind a layer4
> switch, that act as a load balancer.
> server1 and server2 have the IPs (say) 22.214.171.124 & 126.96.36.199
> and the load balancer is 188.8.131.52
> Of course the DNS of the sites will point to 184.108.40.206 and clients from
> outside will see this.
> Now, will conntrack understand that the replies from 220.127.116.11 are
> really established connections that were destined for 18.104.22.168 ??
On which system (22.214.171.124, 126.96.36.199, or 188.8.131.52) are you asking if conntrack will see the replies as ESTABLISHED? I'm personally not familiar with load balancers at all. When the traffic comes in to 184.108.40.206 or 220.127.116.11 do they see the destination as 18.104.22.168 or do they see the destination as themselves, 22.214.171.124 / 126.96.36.199 respectively? Does the load balancer do any DNATing or SNATing of traffic? I would be tempted to say that your servers 188.8.131.52 and 184.108.40.206 should only worry about traffic coming in to them selves and make sure that the load balancer is sending packets to the various servers statefully.
Or, are you asking what will conntrack on a firewall that is SNATing at a client's location sending data to 220.127.116.11 think when packets come back from something other than 18.104.22.168? If this is the case I think this could break a LOT of things. In that case conntrack will not recognize the traffic as ESTABLISHED b/c the source IP will be different than the destination IP that the traffic was going out to.
See if you can't explain your scenario a little bit better and I'll see if I can't help you any more then.
Grant. . . .
More information about the netfilter