help for VS-NAT with firewall functions ?

To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject: help for VS-NAT with firewall functions ?
Cc: ratz@xxxxxx
From: Alois Treindl <alois@xxxxxxxx>
Date: Sat, 28 Apr 2001 07:29:12 +0200 (METDST)
Configuration for a LVS-NAT system.

Purpose: load-balanced http services
         non-load-balanced other services: https, ftp
         firewall services provided by director

    (provider router)
         |     VIP=         (these 3 IP addresses are subject
         |     DEP1=         to change when we move from testing
         |eth0 DEP=          to production)
   |            |
   | director/  |       2 NIC, Linux 2.2.19 with ipvs 1.0.7
   | firewall   |              Pentium III 860 Mhz, 768 MB Ram
   |            |
         |eth1 DIP=
   -----------------------------------------  (switch)
   |                |               |
   |                |               |
   |                |               |
   |RIP1=   |RIP2=  |RIP3=   ..... more real servers
 +----------+   +--------+    +---------+                  added in future
 | "w1"     |   | "w2"   |    | "w3"    |
 | real ser.|   | real s.|    | real s. |
 | http, ftp|   | http   |    | http    |
 | https,   |   |        |    |         |
 | dbms     |   +--------+    +---------+

 The real servers are all dual CPU 1000 Mhz Pentium III with 1 or 2 Gb RAM
 and Linux 2.2.19

 Load balancing 
 in director only for http under IP=VIP

 We do not need persistent http sessions because all real servers
 share data via the joint dbms on 'w1'.

 Servers also share static web data via NFS-mounting the docs directory.

 Our http services are computation intensive, so our limiting
 factor is CPU load and not bandwidth. We hope that we will be far
 from saturating our 100 Mhz network connection, as this would become
 very expensive, paying per Gb data volume to the provider.

 Non-Load-balanced services:
 In addition to load balancing, director shall serve as a packet filter
 firewall and NAT translator (? terminology).

 https: Requests for https IP=VIP should be directly forwarded to 'w1' IP=RIP1.
        (we have only about 0.5% https sessions, compared with the many
        http sessions)

 ftp: Requests for ftp IP=VIP should be directly forwarded to 'w1' IP=RIP1.
        (we have only few public ftp conncections).

 ssh to IP=DEP should connect to the director
 ssh to IP=DEP1 should connect to "w1" IP=RIP1

 Other services required:
 dns    all real servers need to be able to resolve clients domain names
        I propose running a named service on director, which the servers
        use as their name servers

 ntp    we run an ntp server on director, broadcasting time to the internal
        net, and querying time from an internet time server.

 smtp   all real servers, and director need to be able to sendmail to
        clients; the cluster does not receive mail. 

 ping   allow ping to director under IP=DEP and IP=VIP,
        and to "w1", i.e. ping to IP=DEP2 should be forwarded to "w1"

 Remote operation
 The cluster will be deployed at a remote location (the ISP's  
 colocation server room). We will usually not have physical access to
 the cluster - except emergency intervention - and will do all further
 adminstration of services and server content via ssh/scp.

 I think that using an eth0 alias for VIP will allow me to turn off
 the public service in a convenient way, by disabling this alias IP
 on director, while maintaining the other two IPs for cluster maintenance.
 This should be helpful when the server would be flooded with request
 to VIP/http, for example.

 Help needed
 This is the first time that I setup a LVS system, and
 the first time that I setup a Linux firewall/packet filter.

 Before that; I have setup packet filters only on Cisco routers; my
 main work experience is with HPUX and not Linux.

 Is my design prudent, and will it work?
 (I chose this so that I do not need a separate firewall box).

 I would appreciate detailed help on configuring both,
 the LVS configuration and the firewall/ipchains configuration.


|| Alois Treindl,  Astrodienst AG,  mailto:alois@xxxxxxxxx
|| Zollikon/Zurich, Switzerland     

<Prev in Thread] Current Thread [Next in Thread>