|
do you mean CLUSTERIP target? i hadn't looked into it and it seems kind
of cool, but alas, not much going on with it... or is there?!
lvs has quite a bit of infra/soulutions built on it.
Thanks. That's what I needed.
And one more question about my setup. Now lvs works and I need to setup
iptables
rules to pass only LVS traffic. How to do that in the simpliest way? For
outgoing
packets it's easy:
- mark packets (iptables -t mangle -A PREROUTING -p tcp -m tcp --dport
80 -j MARK --set-mark 0x1);
- accept those packets in the INPUT chain (iptables -A INPUT -m
mark --mark 0x1 -j ACCEPT);
- and that's it. LVS packets don't go through FORWARD chain.
But how to match returning packets in the FORWARD chain in the simpliest
and "the most correct" way?
For simple SNAT/DNAT packets there is "-m conntrack --ctstate SNAT,DNAT"
match
Thanks,
Mindaugas
P.S.
# ipvsadm -Sn
-A -f 1 -s wlc -p 10
-a -f 1 -r 192.168.150.26:0 -m -w 1
| 