|
I need to put together a firewall for a site that will also have a need for
ipvsadm services running with it. Our original idea was to forward several of
the external IP's into a second box, behind the wall, running ipvsadm.
When rethinking about the problem, we thought that we might be able to just run
iptables and ipvsadm on the same box. I recall from an issue I had a couple
years back that this might not be possible. So I'm checking to see if it is
and if so, what I should expect.
Here is a breif overview of the network. My understanding is that for
iptables, I would be using the IN path, instead of forward. The example is
simplified. We use fairly restrictive firewalls as well, just trying to work
through a sample.
Externally we have 6 public IP's. We'll say 1.1.1.0/29, internally we have
10.0.0.0/24.
* Firewall would be 1.1.1.2 on eth0
* Firewall would also have aliases for 1.1.1.3, 1.1.1.4, and 1.1.1.5 on eth0
* Firewall has internal address 10.0.0.1/24 on eth1
* Firewall has port forwarding set
* Real Server 1 has internal address of 10.0.0.5/25 on eth0
* Real Server 1 has external address of 1.1.1.3/32 on lo
* Real Server 2 has internal address of 10.0.0.6/25 on eth0
* Real Server 2 has external address of 1.1.1.3/32 on lo
* Real Server 3 has internal address of 10.0.0.7/25 on eth0
* Real Server 3 has external address of 1.1.1.3/32 on lo
ipvsadm rules would look like this:
-A -t 1.1.1.3:80 -s wlc
-a -t 1.1.1.3:80 -r 10.0.0.5 -g -w 100
-a -t 1.1.1.3:80 -r 10.0.0.6 -g -w 100
-a -t 1.1.1.3:80 -r 10.0.0.7 -g -w 100
iptables would have this:
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
Does this sound reasonable? Will it work? Is there anything that I should
worry about?
|
