|
Hello Joe,
Can I route by dst_port?
I would think so, haven't tested it yet.
I want to send all packets from RIP to 0/0:80 through the
default gw, and all other packets from the RIP (eg to
0/0:other ports) to the DIP.
What do you think about the following (RIP=10.10.10.10/32,
DGW=172.23.1.1/32):
iptables -A OUTPUT -t filter -p tcp -s 10.10.10.10/32 -d 0/0 \
--destination-port 80 -j ACCEPT -m mark --mark 1
ip ru add fwmark 1 dev eth0 lookup 100 pref 1000
ip ro add default via 172.23.1.1 table 100
Check out the 'bounce table walking' principle.
In my normal setup for VS-DR I send packets from the VIP
on the realservers to the default gw, while all packets
from the RIP I send to the DIP. I do this because I
assume that only packets from the VIP on the realserver
need to get to the outside world. There are normally
no clients on the realservers making calls to 0/0.
Any such packets are sent to the DIP, where a filter
drops them.
Yeah, I know, you would like to monitor the RS from the DIP without
having the deamon listening on the RIP, right? This is how you would
like to solve the problem of trying to connect to the RIP from the
director within the LVS cluster. I still haven't come around testing it.
I'm planing on doing this since 1.5 years already :(
However in the case of a 3 tier system (eg the realservers
are squids), a client on the realserver will be making
calls to 0/0:80. It would be nice to route only those
packets and arrange for the rest of the packets to 0/0
to be dropped.
Well, generate two rules, add the desired fwmark'd packets to one
routing table and add a blackhole to the other table. Then packets can
bounce the routing table.
Cheers,
Roberto Nibali, ratz
|
