In practice there are several situations, where a specific routing configuration is needed to route only the traffic related to the service from the target back to the load balancer. This can be done with Linux using iptables and the iproute2 functionality. The following script has to be run on the target and assumes an apache server listening on port 80 on the target IP address 10.1.1.1. The addresses 10.1.1.10 and 10.1.1.11 in this example are the “network real” addresses of the master and backup node, respectively. The address 10.1.1.20 in this example is the “network virt” address represented by both nodes using VRRP and may be reachable via eth1.
This technique is also often being referenced as “source routing”, since the sourceaddress (and port) information is used to determine the “next hop” for routing.
The basic ideas of this approach are:
- The OUTPUT chain is used to influence locally generated traffic.
- The special “mangle” table is used to mark outgoing packets with –set-mark.
- The health check source addresses are exempted by the first two lines.
- A special extra routing table www.out is created with iproute2.
- Packets marked by iptables are specifically routed to the “network virt” address represented by both nodes using VRRP.
Here the script contents ready to be run on startup (change addresses accordingly):
iptables -A OUTPUT -t mangle -p tcp -d 10.1.1.10 --sport 80 -j ACCEPT iptables -A OUTPUT -t mangle -p tcp -d 10.1.1.11 --sport 80 -j ACCEPT iptables -A OUTPUT -t mangle -p tcp -s 10.1.1.1 --sport 80 -j MARK --set-mark 2 echo 202 www.out >> /etc/iproute2/rt_tables ip rule add fwmark 2 table www.out ip route add default via 10.1.1.20 dev eth1 table www.out ip route flush cache
Basic commands to check these settings are:
iptables -t mangle -L ip rule ls ip route list table www.out ip route
The following command flushes the table, so that a script may be run again:
iptables -F OUTPUT -t mangle