|
Hi everybody,
I'm a newbie to LVS, although I have been running Linux servers for
about 3 years now. Pretty familiar with iptables/netfilter, building
custom kernels and software compiles, etc.
I found some documentation regarding LVS on the website
(linuxvirtualserver.org), off hand I believe it was section 21 of the
LVW How-To, and running a firewall on the same box. It appears that
there is potential for "issues" if I try to have the director box also
be a firewall for the public servers. But I am a bit uncertain after
reading this documentation whether some or all of the issues mentioned
here are still a problem.
What I'd basically like to do is take a pair of machines, each with dual
NIC's in them, and have them serve as a high-availability pair of
internet gateway/firewall machines for the network. We would be using
the NAT LVS option. Best I can tell, it would not be a problem at all,
except that I would also like this HA pair of machines to also serve as
the primary firewall for the network.
We have a pair of front-end servers running Apache/Qmail/Sqwebmail, and
various associated other services (courier-imap, mysql slave, etc.).
All the boxes are running customized 2.4.18-series kernels for now. We
have a /28 block of public IP address space to work with. The plan is
to have the gateway HA pair be a director for the front-end servers,
which themselves would also be an HA (and load-balanced) pair for the
public services these servers host. We're currently running round-robin
DNS, and not only does that waste public IP's, but it just "doesn't get
it" for sharing the load and availability.
I'm not worried about getting the real servers set up, should not be
very difficult. It's just the director machines I'm concerned about,
with the topics I saw about LVS getting along with netfilter connection
state/tracking, etc.
It looks like it may just be a matter of being careful in which order I
have packets traverse the chains, and don't get too crazy with the NAT
PRE/POSTROUTING parts of the firewall script. But I'm not sure if some
of the other things mentioned are still a problem or not.
I won't ask anybody to tell me how to do it or anything like that, I'm
just curious if anybody else is doing this and if it's going "generally
well" for you, or if I would be better off to NOT try to have the
gateway router/firewall box(es) also serving as director(s) for the real
servers.
Thanks in advance,
Vinnie
|
