Hello,
On Mon, 12 Nov 2001, Federico wrote:
> I'm planning to make a Linux Firewall Cluster running iptables.
> I've some doubt, It's the first time for me to make a cluster.
> My firewall box is for first a router, wich control routing between
> different DMZs and LAN.
>
> So I must keep routing for first, then firewalling.
>
> I've found that an only heartbeat cluster, is not a REAL H.A. solution,
> beacause if a selected interface goes down (there are many reason) the
> heartbeat doesn't make the hypotetical second node to keep services. This
> beacuse is hard to realize if a route goes down, not only interface... If
> was only interface I've made a simple SNMP script that checks the interface,
> but I must keep routing.
Yes, in my routing extensions I'm trying to solve such problems
by using alternative routes:
http://www.linuxvirtualserver.org/~julian/
Look for "Dead Gateway Detection"
It is completed for 2.2, this week I'll try to do it for 2.4 too.
It seems that ipchains, ipfwadm and iptables -j MASQUERADE will be
able to use multiple gateways for masquerading. May be SNAT will
use proper routing at least (it is bound to maddr). The failover you
need is provided from alternative routes. Read dgd-usage.txt
> I've tough this way, and I wanna discuss them with yours.
>
> A load balancing Firewall-Iptables-Cluster, so If an interface of one node
> goes down, the second interface keeps routing to other nets.
Done with proper routing rules and a little help from user
space.
> Now I wanna now your opinions and if Virtual Server can help me to build
> this kind of cluster.
No. LVS is not universal. If you need this failover for
some services then you can use some cluster tools which are not part
from LVS but which control LVS. In any case, for 2.2 there is a
patch for LVS (on the above web page) that support the routing
extensions. For 2.4 the problem is worse. It takes time to solve it.
But without more info provided from you I can't fully
answer what is the right solution for your setup.
> Thank you in Advance
Regards
--
Julian Anastasov <ja@xxxxxx>
|