AFAIK There isn't any functionality for this in netfilter directly. The best I think you could do with solely iptables would be instrument your monit/startup scripts to alter your iptable rules pre/post action. (Turning your local application machine into a router with NAT may not be desired) With LVS you would also need to enable some sort of monitoring to modify the LVS node weights (ldirectord), which will still require periodic polling. A much better approach in this case would be to use a proxy (such as HAproxy), which will allow you to "redirect" the request to a working node, if the local process has failed, or is unresponsive. -Mike On Fri, 13 Mar 2015 08:52:32 +0100 Arturo Borrero Gonzalez <arturo.borrero.glez@xxxxxxxxx> wrote: > On 13 March 2015 at 04:15, Stefan Certic <stefan@xxxxxxxxxxxxxxx> wrote: > > Hello World :) > > > > I am interested in following scenario with iptables (if such is possible). > > > > Setup: > > > > 1. Ext Firewall nats port Z to server A. > > 2. Application X listens on port Z of server A > > 3. It happens that application X crashes for a couple of seconds and > > get's restarted by a monit. > > > > Question: > > > > Is it possible to perform Nat on server A itself, to server B, that > > will took place only until application is restarted (only while no one > > is listening on port Z) otherwise expose port Z to back to > > application. > > > > Reason: > > > > The idea is to provide a failover, uninterrupted service even when app > > crash occurs. > > I think this is what LVS does. > > You can configure a loadbalancer which listen on a virtual address. > Then, you have several real servers in the backend. The LVS can do > health checks and deliver connection to real servers in the backend if > they are alive. > > Your "firewall --> server A --> server B" architecture seems very weird. > > best regards. > > -- > Arturo Borrero González > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html -- Michael Vallaly <mvallaly@xxxxxxxxxxxxx> -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
