3.2.2. Direct Routing and iptables
You may also work around the ARP issue using the direct routing method by creating
iptablesfirewall rules. To configure direct routing using
iptables, you must add rules that create a transparent proxy so that a real server will service packets sent to the VIP address, even though the VIP address does not exist on the system.
iptablesmethod is simpler to configure than the
arptables_jfmethod. This method also circumvents the LVS ARP issue entirely, because the virtual IP address(es) only exist on the active LVS director.
However, there are performance issues using the
iptablesmethod compared to
arptables_jf, as there is overhead in forwarding/masquerading every packet.
You also cannot reuse ports using the
iptablesmethod. For example, it is not possible to run two separate Apache HTTP Server services bound to port 80, because both must bind to
INADDR_ANYinstead of the virtual IP addresses.
To configure direct routing using the
iptablesmethod, perform the following steps:
- On each real server, run the following command for every VIP, port, and protocol (TCP or UDP) combination intended to be serviced for the real server:
iptables -t nat -A PREROUTING -p <tcp|udp> -d <vip> --dport <port> -j REDIRECTThis command will cause the real servers to process packets destined for the VIP and port that they are given.
- Save the configuration on each real server:
service iptables save#
chkconfig --level 2345 iptables onThe commands above cause the system to reload the
iptablesconfiguration on bootup — before the network is started.