Multi-port Services and LVS Clustering
LVS routers under any topology require extra configuration when creating multi-port LVS services. Multi-port services can be created artificially by using firewall marks to bundle together different, but related protocols, such as HTTP (port 80) and HTTPS (port 443), or when LVS is used to cluster true multi-port protocols, such as FTP. In either case, the LVS router uses firewall marks to recognize that packets destined for different ports, but bearing the same firewall mark, should be handled identically. Also, when combined with persistence, firewall marks ensure connections from the client machine are routed to the same host, as long as the connections occur within the length of time specified by the persistence parameter. For more on assigning persistence to a virtual server, see the Section called The VIRTUAL SERVER Subsection in Chapter 9.
Unfortunately, the mechanism used to balance the loads on the real servers — IPVS — can recognize the firewall marks assigned to a packet, but cannot itself assign firewall marks. The job of assigning firewall marks must be performed by a network packet filter, such as iptables or ipchains outside of Piranha Configuration Tool.
Assigning Firewall Marks
To assign firewall marks to a packet destined for a particular port, the administrator must use iptables or ipchains.
 | Important |
|---|---|
In the explanation below, both iptables and ipchains commands are used to illustrate marking packets. However, administrators should be aware that iptables is the preferred method for filtering network packets, because it is a more secure, robust, and flexible technology. Also, in future versions of Red Hat Linux ipchains may no longer be supported. |
This section illustrates how to bundle HTTP and HTTPS as an example, however FTP is another commonly clustered multi-port protocol. If an LVS cluster is used for FTP services, see the Section called FTP In an LVS Cluster for details on how to best configure the cluster.
The basic rule to remember when using firewall marks is that for every protocol using a firewall mark in Piranha Configuration Tool there must be a commensurate iptables or ipchains rule to assign marks to the network packets.
Before creating network packet filter rules, make sure there are no rules already in place. To do this, open a shell prompt, login as root, and type:
/sbin/service iptables status /sbin/service ipchains status |
If iptables is not running, the prompt will instantly reappear. If ipchains is not running, the following message will appear:
ipchains: Incompatible with this kernel |
If either one of these network packet filters are active, it displays a set of rules. If rules are present, type whichever of the following commands correlates to the active network packet filter:
/sbin/service iptables stop /sbin/service ipchains stop |
If the rules already in place are important, check the contents of /etc/sysconfig/iptables or /etc/sysconfig/ipchains and copy any rules worth keeping to a safe place before proceeding.
| Important |
|---|---|
Although iptables is the default network packet filtering mechanism under the 2.4 kernel, it cannot be used concurrently with ipchains. If you attempt to /sbin/modprobe ip_tables and the ipchains module is already loaded, the kernel will issue an error and fail to start iptables. The inverse of this statement is also true. To see which modules are loaded, type /sbin/lsmod. You are free to choose either iptables or ipchains as the network packet filter for the LVS routers, but be aware that iptables is preferred and that support for ipchains is not guaranteed in future releases. |
Below are rules which assign the same firewall mark, 80, to incoming traffic destined for the floating IP address, n.n.n.n, on ports 80 and 443. For instructions on assigning the VIP to the public network interface, see the Section called The VIRTUAL SERVER Subsection in Chapter 9. Also note that you must log in as root and load the module for either iptables or ipchains before issuing rules for the first time.
- iptables
/sbin/modprobe ip_tables /sbin/iptables -t mangle -A PREROUTING -p tcp \ -d n.n.n.n/32 \ --dport 80 -j MARK --set-mark 80 /sbin/iptables -t mangle-A PREROUTING -p tcp \ -d n.n.n.n/32 \ --dport 443 -j MARK --set-mark 80- ipchains
/sbin/modprobe ipchains /sbin/ipchains -A input -p tcp -d n.n.n.n/32 80 -m 80 /sbin/ipchains -A input -p tcp -d n.n.n.n/32 443 -m 80
In the above network packet filter commands, n.n.n.n should be replaced with the floating IP for your HTTP and HTTPS virtual servers. These commands have the net effect of assigning any traffic addressed to the VIP on the appropriate ports a firewall mark of 80, which in turn is recognized by IPVS and forwarded appropriately.
 | Warning |
|---|---|
The commands above will take effect immediately, but do not persist through a reboot of the system. To ensure network packet filter settings are restored upon reboot, refer to the Section called Saving Network Packet Filter Settings |