Gentoo Archives: gentoo-user

From: thegeezer <thegeezer@×××××××××.net>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] HA-Proxy or iptables?
Date: Thu, 29 Aug 2013 12:46:01
Message-Id: 521F427D.5060901@thegeezer.net
In Reply to: Re: [gentoo-user] HA-Proxy or iptables? by Randy Barlow
1 On 08/29/2013 01:12 PM, Randy Barlow wrote:
2 > Honestly, I think the best solution is to switch the company to using domain names to access these resources. This makes it much easier to silently introduce things like load balancers later on if you ever need to scale. It's also much easier to communicate to new users how to find this resource. Once you migrate to IPv6 it becomes a very long address to tell people as well.
3 >
4 > To answer your specific question, I would just do it with iptables if you must continue accessing it by IP address. I will point out that the service on the new IP address now has doubled its chances of going out of service, because it depends on both machines running, even though the first has nothing to do with it. Also, doing this with firewall rules isn't very nice from a systems management perspective for the future, as it's not very obvious what's going on with some server rewriting packets for another one. If someone sees that in two years, are they going to know what to do? What if they want to take server 1 down, and forget that it also disrupts 2? Using DNS is much cleaner for these reasons.
5 With iptables this could be tricky if everything is in the same LAN
6 subnet, you will need to ensure you have both DNAT and SNAT otherwise
7 you will have:
8 PC ---> serverA:3000 ---DNAT----> serverB
9 serverB ---replies---> PC
10 PC ignores packet "i wasn't talking to you, i was talking to serverA"
11
12 Also bear in mind that from serverB's perspective, all connections on
13 port 3000 will appear to come from serverA. I know that a VT based
14 terminal server can set up users based on their originating IP, which
15 would previously have been a good detector of which terminal they are
16 connecting from.
17
18 Rather than using iptables on serverA, you may like to consider EBtables
19 or IPtables on a server that sits in front of both serverA and serverB.
20 this would act as a bridge, and rewrite packets for serverA on port 3000
21 to go to serverB on port 3000
22 or
23 it could act as a router for NAT (iptables) if you change the ip subnet
24 of serverA and serverB, and make the NAT box have the original IP of serverA
25 this would allow connections by IP to be tracked
26
27 hth

Replies

Subject Author
Re: [gentoo-user] HA-Proxy or iptables? Pandu Poluan <pandu@××××××.info>