IPtables Filter On Connection/ Load Balancer Question

danmartinj · 02-03-2017, 05:15 PM

Hello all,

I have been playing with an IPtables load balancer I found from this blog: https://www.webair.com/community/sim...ables-and-nat/

Anyhow, this guy created a load balancer where he can at the gateway filter packet by packet and evenly distribute packets to any set of targets. So the code basically looks like the below and I can confirm the idea does work.

Code:

iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -m state --state NEW -m statistic --mode nth --every 4 --packet 0 -j DNAT --to-destination 10.0.0.3:80

# iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -m state --state NEW -m statistic --mode nth --every 4 --packet 1 -j DNAT --to-destination 10.0.0.4:80

# iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -m state --state NEW -m statistic --mode nth --every 4 --packet 2 -j DNAT --to-destination 10.0.0.5:80

# iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -m state --state NEW -m statistic --mode nth --every 4 --packet 3 -j DNAT --to-destination 10.0.0.6:80

So my question is now I have been playing around with this idea in different ways trying to make this concept stateful which I have had no luck so does anyone have any ideas? My thoughts are I cannot use the statistics module because it appears to only filter by packet and I need something that will filter by connection so hopefully someone might have some ideas as this must be possible.

Thanks in advance,

Joe

TenTenths · 02-06-2017, 03:39 AM

A quick read or the article would indicate that the balancing is stateful for a single connection, however as http does not necessarily maintain a stateful connection (and indeed can create multiple connections concurrently even for the same page load) the method is not really suitable for "real world" balancing.

Indeed the second sentence of the article states "In practice we would use a daemon such as HAProxy allowing IP tables to check packets before forwarding them." which is sound advice.

sundialsvcs · 02-06-2017, 08:26 AM

If I'm gonna use a load balancer, I design the back-end logic so that it is not "stateful." If multiple servers can handle my traffic, I have to design things so that they can coordinate their activities properly by themselves.

danmartinj · 02-07-2017, 11:38 AM

Hey guys,

Just to close out this thread I was able to find a way to build a simple load balancer using IPtables. I basically used the initial code from my first post and added/modified the commands with CONNMARK so it can be done.

I got most of my solution from the below link which shows examples of doing similar things.
https://blog.khax.net/2009/11/28/mul...-and-iproute2/

But thanks again for your input.

R
Joe