I am soon installing a linux-based firewall box to protect a bunch of Windows IIS and databases servers (bespoke application) on a private network behind it. The firewall itself will perform NAT/Masquerading and port forwarding. Which is all fine, that part is straightforward.
However, what I would like to do is to make this firewall highly available and fault tolerant. So I`m thinking of adding a second similar Linux box with a similar IPTables ruleset which I would like to set up in a cluster, so that if one box fails (falls over, some bumbling idiot kicks the power cable out, hardware fault etc) then the other one will still be available to take over for subsequent connections.
I`m not too bothered about maintaining current connections as I don`t even know if that is possible when a failover happens, just as long as the second firewall will take over and handle all subsequent new connections after the first fails etc. I don`t need any form of load balancing on these boxes.
My question is, what is the best way to accomplish this, I`ve been looking at heartbeat on linux-ha.org and I`m unsure if this will work with IPTables, -it works with services that you can send a start command to such as httpd, smbd etc, but will it work for IPTables? if so, how? or is there a better way?
I know this question has been asked in a thread some time ago: (
http://www.linuxquestions.org/questi...bles+heartbeat) but the last post wasn`t really conclusive as it didn`t answer the question about iptables suitability.
Thanks in advance.