LVS routers under any topology require extra configuration when
creating multi-port LVS services. Multi-port services can be
created artificially by using firewall marks to bundle together
different, but related protocols, such as HTTP (port 80) and HTTPS
(port 443), or when LVS is used to cluster true multi-port
protocols, such as FTP. In either case, the LVS router uses
firewall marks to recognize that packets destined for different
ports, but bearing the same firewall mark, should be handled
identically. Also, when combined with persistence, firewall marks
ensure connections from the client machine are routed to the same
host, as long as the connections occur within the length of time
specified by the persistence parameter. For more on assigning
persistence to a virtual server, see Section 10.6.1
The VIRTUAL SERVER
Subsection.
Unfortunately, the mechanism used to balance the loads on the
real servers — IPVS — can recognize the firewall marks
assigned to a packet, but cannot itself assign firewall marks. The
job of assigning firewall marks must be
performed by the network packet filter, iptables, outside of Piranha
Configuration Tool.
To assign firewall marks to a packet destined for a particular
port, the administrator must use iptables.
This section illustrates how to bundle HTTP and HTTPS as an
example, however FTP is another commonly clustered multi-port
protocol. If an LVS cluster is used for FTP services, see Section 9.4 FTP In an LVS Cluster for
details on how to best configure the cluster.
The basic rule to remember when using firewall marks is that for
every protocol using a firewall mark in Piranha Configuration Tool there must be a
commensurate iptables rule to assign marks
to the network packets.
Before creating network packet filter rules, make sure there are
no rules already in place. To do this, open a shell prompt, login
as root, and type:
/sbin/service iptables status
|
If iptables is not running, the prompt
will instantly reappear.
If iptables is active, it displays a
set of rules. If rules are present, type the following command:
/sbin/service iptables stop
|
If the rules already in place are important, check the contents
of /etc/sysconfig/iptables and copy any
rules worth keeping to a safe place before proceeding.
Below are rules which assign the same firewall mark, 80, to
incoming traffic destined for the floating IP address, n.n.n.n, on ports 80 and 443. For instructions
on assigning the VIP to the public network interface, see Section 10.6.1
The VIRTUAL SERVER Subsection.
Also note that you must log in as root and load the module for
iptables before issuing rules for the
first time.
/sbin/modprobe ip_tables
/sbin/iptables -t mangle -A PREROUTING -p tcp \
-d n.n.n.n/32 --dport 80 -j MARK --set-mark 80
/sbin/iptables -t mangle-A PREROUTING -p tcp \
-d n.n.n.n/32 --dport 443 -j MARK --set-mark 80
|
In the above iptables commands,
n.n.n.n should be replaced with the
floating IP for your HTTP and HTTPS virtual servers. These commands
have the net effect of assigning any traffic addressed to the VIP
on the appropriate ports a firewall mark of 80, which in turn is
recognized by IPVS and forwarded appropriately.
