Red Hat SummitQuesto contenuto non è disponibile nella lingua selezionata.
3.4. Multi-port Services and Load Balancer
LVS routers under any topology require extra configuration when creating multi-port Load Balancer services. Multi-port services can be created artificially by using firewall marks to bundle together different, but related protocols, such as HTTP (port 80) and HTTPS (port 443), or when Load Balancer is used with true multi-port protocols, such as FTP. In either case, the LVS router uses firewall marks to recognize that packets destined for different ports, but bearing the same firewall mark, should be handled identically. Also, when combined with persistence, firewall marks ensure connections from the client machine are routed to the same host, as long as the connections occur within the length of time specified by the persistence parameter.
Although the mechanism used to balance the loads on the real servers, IPVS, can recognize the firewall marks assigned to a packet, it cannot itself assign firewall marks. The job of assigning firewall marks must be performed by the network packet filter,
iptables. The default firewall administration tool in Red Hat Enterprise Linux 7 is firewalld, which can be used to configure iptables. If preferred, iptables can be used directly. See Red Hat Enterprise Linux 7 Security Guide for information on working with iptables in Red Hat Enterprise Linux 7.
3.4.1. Assigning Firewall Marks Using firewalld
Copia collegamentoCollegamento copiato negli appunti!
To assign firewall marks to a packet destined for a particular port, the administrator can use
firewalld's firewall-cmd utility.
If required, confirm that
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
To start
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
To ensure
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
firewalld is running:
systemctl status firewalld
# systemctl status firewalld
firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)
Active: active (running) since Tue 2016-01-26 05:23:53 EST; 7h agofirewalld, enter:
systemctl start firewalld
# systemctl start firewalldfirewalld is enabled to start at system start:
systemctl enable firewalld
# systemctl enable firewalld
This section illustrates how to bundle HTTP and HTTPS as an example; however, FTP is another commonly clustered multi-port protocol.
The basic rule to remember when using firewall marks is that for every protocol using a firewall mark in Keepalived there must be a commensurate firewall rule to assign marks to the network packets.
Before creating network packet filter rules, make sure there are no rules already in place. To do this, open a shell prompt, login as
root, and enter the following command:
firewall-cmd --list-rich-rules
# firewall-cmd --list-rich-rules
If no rich rules are present the prompt will instantly reappear.
If
firewalld is active and rich rules are present, it displays a set of rules.
If the rules already in place are important, check the contents of
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
The
/etc/firewalld/zones/ and copy any rules worth keeping to a safe place before proceeding. Delete unwanted rich rules using a command in the following format: firewall-cmd --zone=zone --remove-rich-rule='rule' --permanent
firewall-cmd --zone=zone --remove-rich-rule='rule' --permanent--permanent option makes the setting persistent, but the command will only take effect at next system start. If required to make the setting take effect immediately, repeat the command omitting the --permanent option.
The first load balancer related firewall rule to be configured is to allow VRRP traffic for the Keepalived service to function. Enter the following command:
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
If the zone is omitted the default zone will be used.
firewall-cmd --add-rich-rule='rule protocol value="vrrp" accept' --permanent
# firewall-cmd --add-rich-rule='rule protocol value="vrrp" accept' --permanent
Below are rules which assign the same firewall mark,
80, to incoming traffic destined for the floating IP address, n.n.n.n, on ports 80 and 443.
If the zone is omitted the default zone will be used.
See the Red Hat Enterprise Linux 7 Security Guide for more information on the use of
firewalld's rich language commands.
3.4.2. Assigning Firewall Marks Using iptables
Copia collegamentoCollegamento copiato negli appunti!
To assign firewall marks to a packet destined for a particular port, the administrator can use
iptables.
This section illustrates how to bundle HTTP and HTTPS as an example; however, FTP is another commonly clustered multi-port protocol.
The basic rule to remember when using firewall marks is that for every protocol using a firewall mark in Keepalived there must be a commensurate firewall rule to assign marks to the network packets.
Before creating network packet filter rules, make sure there are no rules already in place. To do this, open a shell prompt, login as
root, and enter the following command:
/usr/sbin/service iptables status
If
iptables is not running, the prompt will instantly reappear.
If
iptables is active, it displays a set of rules. If rules are present, enter the following command:
/sbin/service iptables stop
If the rules already in place are important, check the contents of
/etc/sysconfig/iptables and copy any rules worth keeping to a safe place before proceeding.
The first load balancer related configuring firewall rules is to allow VRRP traffic for the Keepalived service to function.
/usr/sbin/iptables -I INPUT -p vrrp -j ACCEPT
/usr/sbin/iptables -I INPUT -p vrrp -j ACCEPT
Below are rules which assign the same firewall mark,
80, to incoming traffic destined for the floating IP address, n.n.n.n, on ports 80 and 443.
/usr/sbin/iptables -t mangle -A PREROUTING -p tcp -d n.n.n.n/32 -m multiport --dports 80,443 -j MARK --set-mark 80
/usr/sbin/iptables -t mangle -A PREROUTING -p tcp -d n.n.n.n/32 -m multiport --dports 80,443 -j MARK --set-mark 80
Note that you must log in as
root and load the module for iptables before issuing rules for the first time.
In the above
iptables commands, n.n.n.n should be replaced with the floating IP for your HTTP and HTTPS virtual servers. These commands have the net effect of assigning any traffic addressed to the VIP on the appropriate ports a firewall mark of 80, which in turn is recognized by IPVS and forwarded appropriately.
Warning
The commands above will take effect immediately, but do not persist through a reboot of the system.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}