Re: load-balancing with netfilter: round robin or what??

[Jonathan G - Mailing List <email-lists@surestorm.com>]

Hi pedro / Hola pedro,

what do you want? LB for firewalls or LB for web servers? I didn't 
understand your question.

If the reality is that you need a load balancing of web servers you may 
deploy easy dns round robin. this could be easy to configure but a bad 
idea for high information volume.

If you prefer you may implement HA (high availability) with a master and 
a slave box. With this config one of your server will ask connections 
until it falls, then the second box will answer connections to the 
moment tha first comes up. This is the most used implementation to give 
continuosuly service.

I have deployed in many installations this configuration for firewalls. 
I have used VRRP (virtual redundancy routing protocol) on nokia boxes 
for CheckPoint Firewall-1 clusters and works fine. You may use the same 
idea installing the vrrpd daemon in the www boxes. Could run fine.

If you don't know how vrrp works, it implements a virtual mac and a 
virtual ip, so form iptables you only have to forward traffic to the 
virual ip. The machine that is up will take the connection and will 
server the pages.

Best regards,

jonathan



Pedro Salazar wrote:
> Greetings,
> 
> I pretend to load-balancing to two servers but apparently I think only
> one machine is getting the requests.
> 
> These are the rules I run in iptables:
> 
> /sbin/iptables -v -P INPUT ACCEPT
> /sbin/iptables -v -P OUTPUT ACCEPT
> /sbin/iptables -v -P FORWARD ACCEPT
> /sbin/iptables -v -t nat -A PREROUTING --dst 192.168.89.44 -p tcp \
>  --dport 9000 -j DNAT --to-destination 192.168.89.158:80 \
>  --to-destination 192.168.89.159:80
> /sbin/iptables -v -t nat -A POSTROUTING --dst 192.168.89.158/31 \ 
> -p tcp --dport 80 -j SNAT --to-source 192.168.89.44
> /sbin/iptables -v -t nat -A OUTPUT -p tcp -m tcp --dport 9000 \ 
> --dst 192.168.89.44 -j DNAT --to-destination 192.168.89.158:80 \
>  --to-destination 192.168.89.159:80
> 
> As you can see, I have two destinations hosts, 192.168.89.158/31. The
> 192.168.89.44 is the gateway itself that is redirecting requests on port
> 9000 to the two http servers. All of them are in the same network.
> 
> However, I think only the .158 is getting the requests (I have verified
> that with tcpdump).
> 
> So, what is wrong or what is needed? I supposed the requests would be
> load-balanced...
> 
> I'm using a linux redhat 7.3 box with default kernel 2.4.18-3. 
> 
> thanks,
> Pedro Salazar.

-- 
__________________________________________________________________
Jonathan Gonzalez - SureStorm.com Security Site - Madrid/MA/SPAIN
http://www.surestorm.com -  GnuPG Key ID = 0xAA3EAC08

/"\
\ /  ASCII RIBBON CAMPAIGN
  X   Against HTML mail & Microsoft attachments
/ \