Ultra Monkey: High Availability and Load Balancing Solution for Linux [Monkey]
English | Japanese
Top | About | Mirrors | History | Contacts
News Archive | Papers | Ultra Monkey L7 [offsite]

Ultra Monkey 3 : Download | Installation | Configuration || Linux Virtual Server | Linux-HA | Ldirectord


Firewall Marks

[Network Diagram]

Firewall marks provide a powerful mechanism to group services together . This topology provides is intended as an example of how fwmarks can be used. To give the example some grounding it is baed on the high availability load balancing topology. However, it is applicable to any of the Load Balancing topologies discussed.

This setup will load balance traffic sent to any IP address in the range ( on any UDP or TCP port to the real severs.

A minimum of 4 nodes is required for this setup. Real-Servers may be added to the network as additional capacity is required. For a more detailed explanation of the function of each component please see the overview of the high availability load balancing topology.

The documentation that follows assumes that all nodes on the network are set up with correct interfaces and routes for each network they are connected to as per the diagram above. The return path for packets must be through the active Linux-Director. In almost all cases this will mean that the the default route for the real-servers should be set to the internal virtual address as described in the real-servers section for a single virtual service.

Before proceding, you need to follow the configuration steps provided for high availability load balancing or whichever topology you wish to use firewall marks in conjunction with.

Additional Notes

The configuration above establishes one virtual service which covers all ports on both UDP and TCP for all IP addresses in the range - ( At the heart of this is the following iptables rule:

/sbin/iptables -t mangle -A PREROUTING -d -j MARK --set-mark 1

By changing the packets that this rule matches, the scope of the virtual service is changed. Multiple rules may be used to add matches. As long as packets belloning to a connection are marked with the fwmark (in this case 1, as per --set-mark 1), that corresponds to an LVS virtual service, the connection will be load balanced. For example to set up a virtual service that only covers TCP ports 80 and 443 (HTTP and HTTPS) for the hosts in use:

/sbin/iptables -t mangle -A PREROUTING -p tcp -d --dport 80 -j MARK --set-mark 1
/sbin/iptables -t mangle -A PREROUTING -p tcp -d --dport 443 -j MARK --set-mark 1

As well as providing a convenient way to reduce complexity by grouping services by address and/or ports. The grouping also provides a convenient way to couple persistancy together. If persistancy was set for the fwmark virual service 1 in the /etc/ha.d/ldirectord.cf and the configuration for ports 80 and 443 immediately above was used, then an end-user connecting to port 80 and then folloing a link to port 443 would end up on the same real&nsbp;server for both connections.

It is also of note that multiple fwmark virtual services may be used by using different firewall marks. We have used 1, but any number in the range 1-65535 is valid. For example, there could be two different virtual services defined in /etc/ha.d/ldirectord.cf for firewall marks 1 and 2. These may have different pools of real servers or other unique attributes. The following iptables rules are show how to match using two different firewall marks.

/sbin/iptables -t mangle -A PREROUTING -d -j MARK --set-mark 1
/sbin/iptables -t mangle -A PREROUTING -d -j MARK --set-mark 2

Copyright © 2000-2005, Horms
Last Updated: Sat Mar 4 16:33:56 2006 +0900

Debian is a registered trademark of Software in the Public Interest, Inc.
Red Hat, the Red Hat Shadowman logo and Fedora are registered trademarks of Red Hat, Inc.
Red Hat may also be refered to as RedHat on this site.
Linux is a registered trademark of Linus Torvalds.
All other trademarks are the property of their respective owners.