3.4.1. Assigning Firewall Marks

3.4.1. Assigning Firewall Marks

To assign firewall marks to a packet destined for a particular port, the administrator must use iptables.

This section illustrates how to bundle HTTP and HTTPS as an example; however, FTP is another commonly clustered multi-port protocol. If an LVS is used for FTP services, refer to Section 3.5, “Configuring FTP” for configuration details.

The basic rule to remember when using firewall marks is that for every protocol using a firewall mark in Piranha Configuration Tool there must be a commensurate iptables rule to assign marks to the network packets.

Before creating network packet filter rules, make sure there are no rules already in place. To do this, open a shell prompt, login as root, and type:

/sbin/service iptables status

If iptables is not running, the prompt will instantly reappear.

If iptables is active, it displays a set of rules. If rules are present, type the following command:

/sbin/service iptables stop

If the rules already in place are important, check the contents of /etc/sysconfig/iptables and copy any rules worth keeping to a safe place before proceeding.

Below are rules which assign the same firewall mark, 80, to incoming traffic destined for the floating IP address, n.n.n.n, on ports 80 and 443.

/sbin/modprobe ip_tables

/sbin/iptables -t mangle -A PREROUTING -p tcp -d n.n.n.n/32 --dport 80 -j MARK --set-mark 80

/sbin/iptables -t mangle-A PREROUTING -p tcp -d n.n.n.n/32 --dport 443 -j MARK --set-mark 80

For instructions on assigning the VIP to the public network interface, see Section 4.6.1, “The VIRTUAL SERVER Subsection”. Also note that you must log in as root and load the module for iptables before issuing rules for the first time.

In the above iptables commands, n.n.n.n should be replaced with the floating IP for your HTTP and HTTPS virtual servers. These commands have the net effect of assigning any traffic addressed to the VIP on the appropriate ports a firewall mark of 80, which in turn is recognized by IPVS and forwarded appropriately.

Warning

The commands above will take effect immediately, but do not persist through a reboot of the system. To ensure network packet filter settings are restored upon reboot, refer to Section 3.6, “Saving Network Packet Filter Settings”


Note: This documentation is provided {and copyrighted} by Red Hat®, Inc. and is released via the Open Publication License. The copyright holder has added the further requirement that Distribution of substantively modified versions of this document is prohibited without the explicit permission of the copyright holder. The CentOS project redistributes these original works (in their unmodified form) as a reference for CentOS-5 because CentOS-5 is built from publicly available, open source SRPMS. The documentation is unmodified to be compliant with upstream distribution policy. Neither CentOS-5 nor the CentOS Project are in any way affiliated with or sponsored by Red Hat®, Inc.