このコンテンツは選択した言語では利用できません。
3.2.2. Direct Routing and iptables
You may also work around the ARP issue using the direct routing method by creating
iptables firewall rules. To configure direct routing using iptables, you must add rules that create a transparent proxy so that a real server will service packets sent to the VIP address, even though the VIP address does not exist on the system.
The
iptables method is simpler to configure than the arptables_jf method. This method also circumvents the LVS ARP issue entirely, because the virtual IP address(es) only exist on the active LVS director.
However, there are performance issues using the
iptables method compared to arptables_jf, as there is overhead in forwarding/masquerading every packet.
You also cannot reuse ports using the
iptables method. For example, it is not possible to run two separate Apache HTTP Server services bound to port 80, because both must bind to INADDR_ANY instead of the virtual IP addresses.
To configure direct routing using the
iptables method, perform the following steps:
- On each real server, run the following command for every VIP, port, and protocol (TCP or UDP) combination intended to be serviced for the real server:
iptables -t nat -A PREROUTING -p <tcp|udp> -d <vip> --dport <port> -j REDIRECTThis command will cause the real servers to process packets destined for the VIP and port that they are given. - Save the configuration on each real server:
#
service iptables save#chkconfig --level 2345 iptables onThe commands above cause the system to reload theiptablesconfiguration on bootup — before the network is started.
