Hi,
I found several tutorial on this Internet to explain how to use
iptables to do load balancing.
I did some test on my side but the behavior is not exactly what I
expected.
My use case is to create a cluster of server behind a unique public
IP. Traffic is over UDP and there client/device initiated use case and
server initiated use case. 1 client should be associated to only 1
server. A server Initiated communication should modify this association.
Here is my config :
*filter
:INPUT ACCEPT [42520:10530616]
:FORWARD ACCEPT [5164359:11353167320]
:OUTPUT ACCEPT [54257:11470067]
COMMIT
# Completed on Tue Nov 27 16:10:14 2018
# Generated by iptables-save v1.4.18 on Tue Nov 27 16:10:14 2018
*nat
:PREROUTING ACCEPT [44013:3237187]
:INPUT ACCEPT [7:311]
:OUTPUT ACCEPT [4963:310464]
:POSTROUTING ACCEPT [5:165]
-A PREROUTING -p udp -m udp --dport 55555 -m state --state NEW -m
statistic --mode nth --every 2 --packet 0 -j DNAT --to-destination
10.188.168.31:55555
-A PREROUTING -p udp -m udp --dport 55555 -m state --state NEW -m
statistic --mode nth --every 2 --packet 1 -j DNAT --to-destination
10.188.178.229:55555
-A POSTROUTING -s 10.188.0.0/16 -o eth0 -j MASQUERADE
COMMIT
Here is my tests :
Suppose I have 1 client C1 and 2 servers S1, S2 behind a loadbalancer LB.
I send a UDP message from C1 to LB. S1 receives the message.
An association is created between C1IP:55555 and S1IP:55555.
I can see it using conntrack.
If I reply from S1, C1 receives the message. All is OK.
Now, S2 tries to send a request to C1 (this is a server initiated use
case)
I would expect that S2 would get the association with C1IP. (meaning
now S2 is responsible of C1 traffic and so takes the port on LB)
But netfilter see that the 55555 port is already taken and use a new
port for S2.
Is there a way to use netfilter (iptables or nftables) for my use case ?
(Bonus question, What is the added-value of LVS over netfilter ?)
Thx for your time,
Simon
