|
> I thing I have to applied this rules only on the director....
The examples I gave were for the real servers. In DR method each of the
real servers must be able to accept requests for the VIP and do something
with it. For example, if your VIP was 10.11.12.13 and your real server was
10.11.12.14 serving httpd it would have to somehow accept requests for
10.11.12.13:80. The tricky part with DR is that each server must not reply
to ARPs on the network for the VIP. If this happens all the load goes to
whichever real server the switch thinks the IP address belongs to (whichever
ARP-replied).
The idea with transparent proxy (REDIRECT) is that instead of creating an
alias with the IP address of the VIP on each real server (standard method),
you instead just create a firewall rule saying "change the syn request
destination IP address from VIP to my external IP so that the request goes
to the VIP". Since the real server doesn't have an alias interface that can
ARP we don't have to worry about ARP-replies and all that jazz!
> Why $IPTABLES -t nat if I'm using direct routing ?
You are using NAT for the tcp-syn requests. See above.
Hope that helps!
Peter
|
