[SOLVED] iptables load balancer

jarekjarecki

New Member
Credits
82
Hello guys,

Nice to join this forum. I'm not new to Linux but I didn't do anything complicated with iptables and/or routing until now.

What I want to accomplish is to use one server as a load balancer and forward packets to a "real server" without changing the source IP so the real server will be able to see the client's IP address.

At the moment I'm able to see packets on a real server and I'm even able to send responses back through the load balancer.

The issue is that I set route based on source IP (client's IP) and I want to somehow mark packets that are coming from load balancer then reroute reply packets through the load balancer.

Here is the configuration:

Server 1 (let's name it LB): eth1: 10.0.0.74
Server 2(let's name it RS): eth1: 10.0.0.75


At them moment on LB:

/usr/sbin/iptables -t nat -A PREROUTING --wait -p tcp --dport 80 -s 55.75.61.241 -d 179.19.72.229 -j DNAT --to-destination 10.0.0.75:80
/usr/sbin/iptables -A FORWARD -d 10.0.0.75 -j ACCEPT

55.75.61.241 - external client IP
179.19.72.229 - server public (eth0) IP

with this configuration, I can see, using tcpdump on eth1 that packets arrive on RS.


Then for testing, I added on RS:

route add 55.75.61.241 gw 10.0.0.74

And with this configuration I can get a reply from the HTTP server on port 80 using LB IP 179.19.72.229:

curl -v http://179.19.72.229:80/


My idea is that on eth1 of RS the only packets with source IP other than in the range of private (10.0.0.x) are those packets that are redirected from LB so I could mark them and somehow reroute reply packets to LB eth1.

I tried:

ip route add table 100 default via 10.0.0.74 dev eth1
ip rule add fwmark 0x2 table 100

iptables -t mangle -A INPUT -i eth1 -s 55.75.61.241 -j MARK --set-mark 2
iptables -t mangle -A INPUT -j CONNMARK --save-mark
iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark

But it doesn't work.

Do you have an idea why?
 


jarekjarecki

New Member
Credits
82
Ok I found a solution. It's not elegant but it works.

Simply set default gateway for any public IP originating from eth1.

With this solution I can still use eth1 for other purposes like connecting database and it is not affected by this gateway.

I couldn't find a way to close this thread. WHere is an option to close thread?

/usr/sbin/ip rule add from 10.0.0.75 to 0.0.0.0/5 lookup custom
/usr/sbin/ip rule add from 10.0.0.75 to 8.0.0.0/7 lookup custom
/usr/sbin/ip rule add from 10.0.0.75 to 11.0.0.0/8 lookup custom
/usr/sbin/ip rule add from 10.0.0.75 to 12.0.0.0/6 lookup custom
/usr/sbin/ip rule add from 10.0.0.75 to 16.0.0.0/4 lookup custom
/usr/sbin/ip rule add from 10.0.0.75 to 32.0.0.0/3 lookup custom
/usr/sbin/ip rule add from 10.0.0.75 to 64.0.0.0/2 lookup custom
/usr/sbin/ip rule add from 10.0.0.75 to 128.0.0.0/3 lookup custom
/usr/sbin/ip rule add from 10.0.0.75 to 160.0.0.0/5 lookup custom
/usr/sbin/ip rule add from 10.0.0.75 to 168.0.0.0/6 lookup custom
/usr/sbin/ip rule add from 10.0.0.75 to 172.0.0.0/12 lookup custom
/usr/sbin/ip rule add from 10.0.0.75 to 172.32.0.0/11 lookup custom
/usr/sbin/ip rule add from 10.0.0.75 to 172.64.0.0/10 lookup custom
/usr/sbin/ip rule add from 10.0.0.75 to 172.128.0.0/9 lookup custom
/usr/sbin/ip rule add from 10.0.0.75 to 173.0.0.0/8 lookup custom
/usr/sbin/ip rule add from 10.0.0.75 to 174.0.0.0/7 lookup custom
/usr/sbin/ip rule add from 10.0.0.75 to 176.0.0.0/4 lookup custom
/usr/sbin/ip rule add from 10.0.0.75 to 192.0.0.0/9 lookup custom
/usr/sbin/ip rule add from 10.0.0.75 to 192.128.0.0/11 lookup custom
/usr/sbin/ip rule add from 10.0.0.75 to 192.160.0.0/13 lookup custom
/usr/sbin/ip rule add from 10.0.0.75 to 192.169.0.0/16 lookup custom
/usr/sbin/ip rule add from 10.0.0.75 to 192.170.0.0/15 lookup custom
/usr/sbin/ip rule add from 10.0.0.75 to 192.172.0.0/14 lookup custom
/usr/sbin/ip rule add from 10.0.0.75 to 192.176.0.0/12 lookup custom
/usr/sbin/ip rule add from 10.0.0.75 to 192.192.0.0/10 lookup custom
/usr/sbin/ip rule add from 10.0.0.75 to 193.0.0.0/8 lookup custom
/usr/sbin/ip rule add from 10.0.0.75 to 194.0.0.0/7 lookup custom
/usr/sbin/ip rule add from 10.0.0.75 to 196.0.0.0/6 lookup custom
/usr/sbin/ip rule add from 10.0.0.75 to 200.0.0.0/5 lookup custom
/usr/sbin/ip rule add from 10.0.0.75 to 208.0.0.0/4 lookup custom

/usr/sbin/ip route add default via 10.0.0.74 dev eth1 table custom
 

wizardfromoz

Super Moderator
Staff member
Gold Supporter
Credits
14,557
I've reversed the lock and added "Solved" - others may have use of this.

Cheers

Chris Turner
wizardfromoz
 
$100 Digital Ocean Credit
Get a free VM to test out Linux!

Members online


Latest posts

Top