3.2.2. Direct Routing and iptables

3.2.2. Direct Routing and iptables

You may also work around the ARP issue using the direct routing method by creating iptables firewall rules. To configure direct routing using iptables, you must add rules that create a transparent proxy so that a real server will service packets sent to the VIP address, even though the VIP address does not exist on the system.

The iptables method is simpler to configure than the arptables_jf method. This method also circumvents the LVS ARP issue entirely, because the virtual IP address(es) only exist on the active LVS director.

However, there are performance issues using the iptables method compared to arptables_jf, as there is overhead in forwarding/masquerading every packet.

You also cannot reuse ports using the iptables method. For example, it is not possible to run two separate Apache HTTP Server services bound to port 80, because both must bind to INADDR_ANY instead of the virtual IP addresses.

To configure direct routing using the iptables method, perform the following steps:

  1. On each real server, run the following command for every VIP, port, and protocol (TCP or UDP) combination intended to be serviced for the real server:

    iptables -t nat -A PREROUTING -p <tcp|udp> -d <vip> --dport <port> -j REDIRECT

    This command will cause the real servers to process packets destined for the VIP and port that they are given.

  2. Save the configuration on each real server:

    # service iptables save
    # chkconfig --level 2345 iptables on
    

    The commands above cause the system to reload the iptables configuration on bootup — before the network is started.


Note: This documentation is provided {and copyrighted} by Red Hat®, Inc. and is released via the Open Publication License. The copyright holder has added the further requirement that Distribution of substantively modified versions of this document is prohibited without the explicit permission of the copyright holder. The CentOS project redistributes these original works (in their unmodified form) as a reference for CentOS-5 because CentOS-5 is built from publicly available, open source SRPMS. The documentation is unmodified to be compliant with upstream distribution policy. Neither CentOS-5 nor the CentOS Project are in any way affiliated with or sponsored by Red Hat®, Inc.