Press "Enter" to skip to content

How to specifically route back server traffic to the Load Balancer (source routing)

In practice there are several situations, where a specific routing configuration is needed to route only the traffic related to the service from the target back to the load balancer. This can be done with Linux using iptables and the iproute2 functionality. The following script has to be run on the target and assumes an apache server listening on port 80 on the target IP address 10.1.1.1. The addresses 10.1.1.10 and 10.1.1.11 in this example are the “network real” addresses of the master and backup node, respectively. The address 10.1.1.20 in this example is the “network virt” address represented by both nodes using VRRP and may be reachable via eth1.

This technique is also often being referenced as “source routing”, since the sourceaddress (and port) information is used to determine the “next hop” for routing.

The basic ideas of this approach are:

  • The OUTPUT chain is used to influence locally generated traffic.
  • The special “mangle” table is used to mark outgoing packets with –set-mark.
  • The health check source addresses are exempted by the first two lines.
  • A special extra routing table www.out is created with iproute2.
  • Packets marked by iptables are specifically routed to the “network virt” address represented by both nodes using VRRP.

Here the script contents ready to be run on startup (change addresses accordingly):

iptables -A OUTPUT -t mangle -p tcp -d 10.1.1.10 --sport 80 -j ACCEPT
iptables -A OUTPUT -t mangle -p tcp -d 10.1.1.11 --sport 80 -j ACCEPT
iptables -A OUTPUT -t mangle -p tcp -s 10.1.1.1 --sport 80 -j MARK --set-mark 2
echo 202 www.out >> /etc/iproute2/rt_tables
ip rule add fwmark 2 table www.out
ip route add default via 10.1.1.20 dev eth1 table www.out
ip route flush cache

Basic commands to check these settings are:

iptables -t mangle -L
ip rule ls
ip route list table www.out
ip route

The following command flushes the table, so that a script may be run again:

iptables -F OUTPUT -t mangle