failover with iptables?

Linux Netfilter discussions
 help / color / mirror / Atom feed

* failover with iptables?
@ 2002-09-11 12:10 Roy Sigurd Karlsbakk
  2002-09-11 13:11 ` Martijn Klingens
  2002-09-11 13:12 ` Antony Stone
  0 siblings, 2 replies; 6+ messages in thread
From: Roy Sigurd Karlsbakk @ 2002-09-11 12:10 UTC (permalink / raw)
  To: Netfilter mailinglist

hi

I currently have two identical servers I want to use in parallel with an 
iptables gate in front of them, so if one chrashes, iptables just sorts out 
and redirects to the other.

but

is it possible to make the below (as stolen from various cisco sketches) with 
iptables?

If iptab_1 fails, iptab_2 should take over ip and (perhaps) mac address of 
iptab_1. 

ps: I don't think I need connection tracking. 

roy

         clients

     |               |        
     |               |
+----+----+     +----+----+
|         |     |         |
| iptab_1 |     | iptab_2 |
|         |     |         |
+----+----+     +----+----+
     |     \   /     |        
     |      \ /      |
     |       X       |        
     |      / \      |
     |     /   \     |
+----+----+     +----+----+
|         |     |         |
| server1 |     | server2 |
|         |     |         |
+---------+     +---------+

-- 
Roy Sigurd Karlsbakk, Datavaktmester
ProntoTV AS - http://www.pronto.tv/
Tel: +47 9801 3356

Computers are like air conditioners.
They stop working when you open Windows.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: failover with iptables?
  2002-09-11 12:10 failover with iptables? Roy Sigurd Karlsbakk
@ 2002-09-11 13:11 ` Martijn Klingens
  2002-09-11 13:12 ` Antony Stone
  1 sibling, 0 replies; 6+ messages in thread
From: Martijn Klingens @ 2002-09-11 13:11 UTC (permalink / raw)
  To: Netfilter mailinglist

On Wednesday 11 September 2002 14:10, Roy Sigurd Karlsbakk wrote:
> hi
>
> I currently have two identical servers I want to use in parallel with an
> iptables gate in front of them, so if one chrashes, iptables just sorts out
> and redirects to the other.
>
> but
>
> is it possible to make the below (as stolen from various cisco sketches)
> with iptables?
>
> If iptab_1 fails, iptab_2 should take over ip and (perhaps) mac address of
> iptab_1.
>
> ps: I don't think I need connection tracking.

With this last line included the answer is "yes". Otherwise it's clearly a 
"no", or at least nothing more than a "partial".

You can failover any linux machine with Heartbeat (www.linuxvirtualserver.org) 
and create your own custom resource script to failover (the firewall). 
Failover is by no means stateful though using this technique, so any 
currently tracked connection will not reach the failover node properly.

Harald Welte hopes to start working on stateful failover early next year, but 
that's a long way from now, especially since it likely also needs to mature a 
bit before going into production...

Martijn

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: failover with iptables?
  2002-09-11 12:10 failover with iptables? Roy Sigurd Karlsbakk
  2002-09-11 13:11 ` Martijn Klingens
@ 2002-09-11 13:12 ` Antony Stone
  2002-09-11 13:44   ` Roy Sigurd Karlsbakk
  1 sibling, 1 reply; 6+ messages in thread
From: Antony Stone @ 2002-09-11 13:12 UTC (permalink / raw)
  To: Netfilter mailinglist

On Wednesday 11 September 2002 1:10 pm, Roy Sigurd Karlsbakk wrote:

> hi
>
> I currently have two identical servers I want to use in parallel with an
> iptables gate in front of them, so if one chrashes, iptables just sorts out
> and redirects to the other.
>
> If iptab_1 fails, iptab_2 should take over ip and (perhaps) mac address of
> iptab_1.

Use vrrp for this.   The MAC address *is* important too.

> ps: I don't think I need connection tracking.

In that case you can do what you want.

In fact, even if you did need connection tracking, you could still do it 
provided you don't also need NAT.

Antony.

-- 

In science, one tries to tell people
in such a way as to be understood by everyone
something that no-one ever knew before.

In poetry, it is the exact opposite.

 - Paul Dirac

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: failover with iptables?
  2002-09-11 13:12 ` Antony Stone
@ 2002-09-11 13:44   ` Roy Sigurd Karlsbakk
  2002-09-11 13:54     ` Antony Stone
  2002-09-11 14:06     ` Jan Du Caju
  0 siblings, 2 replies; 6+ messages in thread
From: Roy Sigurd Karlsbakk @ 2002-09-11 13:44 UTC (permalink / raw)
  To: Antony Stone, Netfilter mailinglist

> Use vrrp for this.   The MAC address *is* important too.

hm ... 

vrrp is a protocol - right?

do you know where I can find a (good?) implementation for it for linux?

roy

-- 
Roy Sigurd Karlsbakk, Datavaktmester
ProntoTV AS - http://www.pronto.tv/
Tel: +47 9801 3356

Computers are like air conditioners.
They stop working when you open Windows.



^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: failover with iptables?
  2002-09-11 13:44   ` Roy Sigurd Karlsbakk
@ 2002-09-11 13:54     ` Antony Stone
  2002-09-11 14:06     ` Jan Du Caju
  1 sibling, 0 replies; 6+ messages in thread
From: Antony Stone @ 2002-09-11 13:54 UTC (permalink / raw)
  To: Netfilter mailinglist

On Wednesday 11 September 2002 2:44 pm, Roy Sigurd Karlsbakk wrote:

> > Use vrrp for this.   The MAC address *is* important too.
>
> hm ...
>
> vrrp is a protocol - right?

Virtual Router Redundancy Protocol.

Connects two or more machines together and implements floating MAC and IP 
addresses, which are always attached to a working machine.   If one system 
dies, or loses network connectivity, the addresses automatically go to 
another machine so that other system don't know there's anything wrong.

> do you know where I can find a (good?) implementation for it for linux?

http://w3.arobas.net/~jetienne/vrrpd

Antony.

-- 

The difference between theory and practice is that
in theory there is no difference, whereas in practice there is.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: failover with iptables?
  2002-09-11 13:44   ` Roy Sigurd Karlsbakk
  2002-09-11 13:54     ` Antony Stone
@ 2002-09-11 14:06     ` Jan Du Caju
  1 sibling, 0 replies; 6+ messages in thread
From: Jan Du Caju @ 2002-09-11 14:06 UTC (permalink / raw)
  To: Roy Sigurd Karlsbakk; +Cc: Netfilter mailinglist

Hi,

Roy Sigurd Karlsbakk wrote:

>>Use vrrp for this.   The MAC address *is* important too.
>>    
>>
>
>hm ... 
>
>vrrp is a protocol - right?
>
>do you know where I can find a (good?) implementation for it for linux?
>
http://www.keepalived.org
http://www.linuxvirtualserver.org/~acassen/

you only need the vrrp component of keepalived (--disable-lvs ;-)

Greetz,
Jan.
------------------------- KULeuvenNet ----




^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2002-09-11 14:06 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-09-11 12:10 failover with iptables? Roy Sigurd Karlsbakk
2002-09-11 13:11 ` Martijn Klingens
2002-09-11 13:12 ` Antony Stone
2002-09-11 13:44   ` Roy Sigurd Karlsbakk
2002-09-11 13:54     ` Antony Stone
2002-09-11 14:06     ` Jan Du Caju

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox