검색

이 콘텐츠는 선택한 언어로 제공되지 않습니다.

3.4. Multi-port Services and LVS

download PDF
LVS routers under any topology require extra configuration when creating multi-port LVS services. Multi-port services can be created artificially by using firewall marks to bundle together different, but related protocols, such as HTTP (port 80) and HTTPS (port 443), or when LVS is used with true multi-port protocols, such as FTP. In either case, the LVS router uses firewall marks to recognize that packets destined for different ports, but bearing the same firewall mark, should be handled identically. Also, when combined with persistence, firewall marks ensure connections from the client machine are routed to the same host, as long as the connections occur within the length of time specified by the persistence parameter. For more on assigning persistence to a virtual server, see Section 4.6.1, “The VIRTUAL SERVER Subsection”.
Unfortunately, the mechanism used to balance the loads on the real servers — IPVS — can recognize the firewall marks assigned to a packet, but cannot itself assign firewall marks. The job of assigning firewall marks must be performed by the network packet filter, iptables, outside of Piranha Configuration Tool.

3.4.1. Assigning Firewall Marks

To assign firewall marks to a packet destined for a particular port, the administrator must use iptables.
This section illustrates how to bundle HTTP and HTTPS as an example; however, FTP is another commonly clustered multi-port protocol. If an LVS is used for FTP services, refer to Section 3.5, “Configuring FTP” for configuration details.
The basic rule to remember when using firewall marks is that for every protocol using a firewall mark in Piranha Configuration Tool there must be a commensurate iptables rule to assign marks to the network packets.
Before creating network packet filter rules, make sure there are no rules already in place. To do this, open a shell prompt, login as root, and type:
/sbin/service iptables status
If iptables is not running, the prompt will instantly reappear.
If iptables is active, it displays a set of rules. If rules are present, type the following command:
/sbin/service iptables stop
If the rules already in place are important, check the contents of /etc/sysconfig/iptables and copy any rules worth keeping to a safe place before proceeding.
Below are rules which assign the same firewall mark, 80, to incoming traffic destined for the floating IP address, n.n.n.n, on ports 80 and 443.
/sbin/modprobe ip_tables
/sbin/iptables -t mangle -A PREROUTING -p tcp -d n.n.n.n/32 --dport 80 -j MARK --set-mark 80
/sbin/iptables -t mangle-A PREROUTING -p tcp -d n.n.n.n/32 --dport 443 -j MARK --set-mark 80
For instructions on assigning the VIP to the public network interface, see Section 4.6.1, “The VIRTUAL SERVER Subsection”. Also note that you must log in as root and load the module for iptables before issuing rules for the first time.
In the above iptables commands, n.n.n.n should be replaced with the floating IP for your HTTP and HTTPS virtual servers. These commands have the net effect of assigning any traffic addressed to the VIP on the appropriate ports a firewall mark of 80, which in turn is recognized by IPVS and forwarded appropriately.

Warning

The commands above will take effect immediately, but do not persist through a reboot of the system. To ensure network packet filter settings are restored upon reboot, refer to Section 3.6, “Saving Network Packet Filter Settings”
Red Hat logoGithubRedditYoutubeTwitter

자세한 정보

평가판, 구매 및 판매

커뮤니티

Red Hat 문서 정보

Red Hat을 사용하는 고객은 신뢰할 수 있는 콘텐츠가 포함된 제품과 서비스를 통해 혁신하고 목표를 달성할 수 있습니다.

보다 포괄적 수용을 위한 오픈 소스 용어 교체

Red Hat은 코드, 문서, 웹 속성에서 문제가 있는 언어를 교체하기 위해 최선을 다하고 있습니다. 자세한 내용은 다음을 참조하세요.Red Hat 블로그.

Red Hat 소개

Red Hat은 기업이 핵심 데이터 센터에서 네트워크 에지에 이르기까지 플랫폼과 환경 전반에서 더 쉽게 작업할 수 있도록 강화된 솔루션을 제공합니다.

© 2024 Red Hat, Inc.