[SOLVED] iptables load balancer

jarekjarecki

New Member
Joined
Apr 3, 2021
Messages
4
Reaction score
1
Credits
82
Hello guys,

Nice to join this forum. I'm not new to Linux but I didn't do anything complicated with iptables and/or routing until now.

What I want to accomplish is to use one server as a load balancer and forward packets to a "real server" without changing the source IP so the real server will be able to see the client's IP address.

At the moment I'm able to see packets on a real server and I'm even able to send responses back through the load balancer.

The issue is that I set route based on source IP (client's IP) and I want to somehow mark packets that are coming from load balancer then reroute reply packets through the load balancer.

Here is the configuration:

Server 1 (let's name it LB): eth1: 10.0.0.74
Server 2(let's name it RS): eth1: 10.0.0.75


At them moment on LB:

/usr/sbin/iptables -t nat -A PREROUTING --wait -p tcp --dport 80 -s 55.75.61.241 -d 179.19.72.229 -j DNAT --to-destination 10.0.0.75:80
/usr/sbin/iptables -A FORWARD -d 10.0.0.75 -j ACCEPT

55.75.61.241 - external client IP
179.19.72.229 - server public (eth0) IP

with this configuration, I can see, using tcpdump on eth1 that packets arrive on RS.


Then for testing, I added on RS:

route add 55.75.61.241 gw 10.0.0.74

And with this configuration I can get a reply from the HTTP server on port 80 using LB IP 179.19.72.229:

curl -v http://179.19.72.229:80/


My idea is that on eth1 of RS the only packets with source IP other than in the range of private (10.0.0.x) are those packets that are redirected from LB so I could mark them and somehow reroute reply packets to LB eth1.

I tried:

ip route add table 100 default via 10.0.0.74 dev eth1
ip rule add fwmark 0x2 table 100

iptables -t mangle -A INPUT -i eth1 -s 55.75.61.241 -j MARK --set-mark 2
iptables -t mangle -A INPUT -j CONNMARK --save-mark
iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark

But it doesn't work.

Do you have an idea why?
 


OP
J

jarekjarecki

New Member
Joined
Apr 3, 2021
Messages
4
Reaction score
1
Credits
82
Ok I found a solution. It's not elegant but it works.

Simply set default gateway for any public IP originating from eth1.

With this solution I can still use eth1 for other purposes like connecting database and it is not affected by this gateway.

I couldn't find a way to close this thread. WHere is an option to close thread?

/usr/sbin/ip rule add from 10.0.0.75 to 0.0.0.0/5 lookup custom
/usr/sbin/ip rule add from 10.0.0.75 to 8.0.0.0/7 lookup custom
/usr/sbin/ip rule add from 10.0.0.75 to 11.0.0.0/8 lookup custom
/usr/sbin/ip rule add from 10.0.0.75 to 12.0.0.0/6 lookup custom
/usr/sbin/ip rule add from 10.0.0.75 to 16.0.0.0/4 lookup custom
/usr/sbin/ip rule add from 10.0.0.75 to 32.0.0.0/3 lookup custom
/usr/sbin/ip rule add from 10.0.0.75 to 64.0.0.0/2 lookup custom
/usr/sbin/ip rule add from 10.0.0.75 to 128.0.0.0/3 lookup custom
/usr/sbin/ip rule add from 10.0.0.75 to 160.0.0.0/5 lookup custom
/usr/sbin/ip rule add from 10.0.0.75 to 168.0.0.0/6 lookup custom
/usr/sbin/ip rule add from 10.0.0.75 to 172.0.0.0/12 lookup custom
/usr/sbin/ip rule add from 10.0.0.75 to 172.32.0.0/11 lookup custom
/usr/sbin/ip rule add from 10.0.0.75 to 172.64.0.0/10 lookup custom
/usr/sbin/ip rule add from 10.0.0.75 to 172.128.0.0/9 lookup custom
/usr/sbin/ip rule add from 10.0.0.75 to 173.0.0.0/8 lookup custom
/usr/sbin/ip rule add from 10.0.0.75 to 174.0.0.0/7 lookup custom
/usr/sbin/ip rule add from 10.0.0.75 to 176.0.0.0/4 lookup custom
/usr/sbin/ip rule add from 10.0.0.75 to 192.0.0.0/9 lookup custom
/usr/sbin/ip rule add from 10.0.0.75 to 192.128.0.0/11 lookup custom
/usr/sbin/ip rule add from 10.0.0.75 to 192.160.0.0/13 lookup custom
/usr/sbin/ip rule add from 10.0.0.75 to 192.169.0.0/16 lookup custom
/usr/sbin/ip rule add from 10.0.0.75 to 192.170.0.0/15 lookup custom
/usr/sbin/ip rule add from 10.0.0.75 to 192.172.0.0/14 lookup custom
/usr/sbin/ip rule add from 10.0.0.75 to 192.176.0.0/12 lookup custom
/usr/sbin/ip rule add from 10.0.0.75 to 192.192.0.0/10 lookup custom
/usr/sbin/ip rule add from 10.0.0.75 to 193.0.0.0/8 lookup custom
/usr/sbin/ip rule add from 10.0.0.75 to 194.0.0.0/7 lookup custom
/usr/sbin/ip rule add from 10.0.0.75 to 196.0.0.0/6 lookup custom
/usr/sbin/ip rule add from 10.0.0.75 to 200.0.0.0/5 lookup custom
/usr/sbin/ip rule add from 10.0.0.75 to 208.0.0.0/4 lookup custom

/usr/sbin/ip route add default via 10.0.0.74 dev eth1 table custom
 

KGIII

Super Moderator
Staff member
Gold Supporter
Joined
Jul 23, 2020
Messages
5,789
Reaction score
5,241
Credits
46,730

wizardfromoz

Administrator
Staff member
Gold Supporter
Joined
Apr 30, 2017
Messages
7,118
Reaction score
5,994
Credits
23,570
I've reversed the lock and added "Solved" - others may have use of this.

Cheers

Chris Turner
wizardfromoz
 

KGIII

Super Moderator
Staff member
Gold Supporter
Joined
Jul 23, 2020
Messages
5,789
Reaction score
5,241
Credits
46,730
I've reversed the lock and added "Solved" - others may have use of this.

I thought the same thing but they, the user, want it closed. So, I obliged.
 
$100 Digital Ocean Credit
Get a free VM to test out Linux!

Members online


Latest posts

Top