1

I'm playing around with iptables in my home lab. My first goal is to take my active directory communication into one load balancing virtual IP. I used prerouting chain to do that. For testing purposes, I started only with the DNS service. My rules looks like:

-A PREROUTING -d 10.0.0.1 -p udp --dport 53 -j DNAT --to-destination 192.168.2.1:53 -A PREROUTING -d 10.0.0.1 -p udp --dport 53 -j DNAT --to-destination 192.168.2.2:53
  • 10.0.0.1 is the desired VIP address.
  • 192.168.2.1 and 192.168.2.2 are the DC servers.

The VIP itself works, I get DNS response. However, If I detach the first DC's network card, DNS response times out. I checked it, from 192.168.2.2 itself works, so it isn't the server's failure.

I know it's because my rules technically don't do load balancing, neither it is failover. It fails because it passes only the first rule. I tried to set IP range in a singe rule, but didn't help either.

Also, tried things, like statistic probability and nth or socket, but none of them worked.

Is there any module in iptables to solve this case?

Improve this question

1 Answer 1

Reset to default
0

Yes, it's possible. CLUSTERIP target is designed specifically for that.

It is configured by assigning the same IP address to all nodes, but filtering access to roughly 1/N of all connections are processed by each node. It is designed so that if the N nodes are configured with all the same settings except --local-node takes values 0, 1, ..., N-1, then all connections are processed — each connection will be assigned to one and only one node.

However, it's alone is not enough. When node is down, the share of connections that should have been processed by it will not be considered by anyone. To fix that, all remaining nodes need to be reconfigured with new values of --total-nodes and --local-node. For this reason, it is not designed to be run by hand. You need some agent which will constantly check all the nodes and reconfigure the CLUSTERIP on all nodes on the fly.

Usually Pacemaker + Corosync clustering stack is used, which has ClusterIP agent to control this kind of load balancing. It will do all the dirty work: check which nodes are alive, configure the iptables rules; it can also do more, such as defining "alive" as "Apache service is running and accepting connections". Overall Pacemaker is very capable clustering stack.

As this module is unable to consider the actual load of the nodes, it is not used for end services much. However, if you want to have several higher-level load balancing HAProxy or Nginx nodes which intelligently balance actual web (or other) backends, to make the balancer farm itself highly available you setup CLUSTERIP-style load balancing for them.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.