Failover load balancing by iptables is possible?

Peet

8/4/24, 8:32 PM

I'm playing around with iptables in my home lab. My first goal is to take my active directory communication into one load balancing virtual IP. I used prerouting chain to do that. For testing purposes, I started only with the DNS service. My rules looks like:

-A PREROUTING -d 10.0.0.1 -p udp --dport 53 -j DNAT --to-destination 192.168.2.1:53

-A PREROUTING -d 10.0.0.1 -p udp --dport 53 -j DNAT --to-destination 192.168.2.2:53

10.0.0.1 is the desired VIP address.
192.168.2.1 and 192.168.2.2 are the DC servers.

The VIP itself works, I get DNS response. However, If I detach the first DC's network card, DNS response times out. I checked it, from 192.168.2.2 itself works, so it isn't the server's failure.

I know it's because my rules technically don't do load balancing, neither it is failover. It fails because it passes only the first rule. I tried to set IP range in a singe rule, but didn't help either.

Also, tried things, like statistic probability and nth or socket, but none of them worked.

Is there any module in iptables to solve this case?

1 + 0

firewall

failover

iptables

centos

load-balancing

Score:0

Server

Nikita Kipriyanov

8/5/24, 11:08 AM

Yes, it's possible. CLUSTERIP target is designed specifically for that.

It is configured by assigning the same IP address to all nodes, but filtering access to roughly 1/N of all connections are processed by each node. It is designed so that if the N nodes are configured with all the same settings except --local-node takes values 0, 1, ..., N-1, then all connections are processed — each connection will be assigned to one and only one node.

However, it's alone is not enough. When node is down, the share of connections that should have been processed by it will not be considered by anyone. To fix that, all remaining nodes need to be reconfigured with new values of --total-nodes and --local-node. For this reason, it is not designed to be run by hand. You need some agent which will constantly check all the nodes and reconfigure the CLUSTERIP on all nodes on the fly.

Usually Pacemaker + Corosync clustering stack is used, which has ClusterIP agent to control this kind of load balancing. It will do all the dirty work: check which nodes are alive, configure the iptables rules; it can also do more, such as defining "alive" as "Apache service is running and accepting connections". Overall Pacemaker is very capable clustering stack.

As this module is unable to consider the actual load of the nodes, it is not used for end services much. However, if you want to have several higher-level load balancing HAProxy or Nginx nodes which intelligently balance actual web (or other) backends, to make the balancer farm itself highly available you setup CLUSTERIP-style load balancing for them.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Failover load balancing by iptables is possible?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.