Re: [gentoo-user] HA-Proxy or iptables?

[Pandu Poluan <pandu@poluan.info>]

[-- Attachment #1: Type: text/plain, Size: 2647 bytes --]

On Aug 29, 2013 7:46 PM, "thegeezer" <thegeezer@thegeezer.net> wrote:
>
> On 08/29/2013 01:12 PM, Randy Barlow wrote:
> > Honestly, I think the best solution is to switch the company to using
domain names to access these resources. This makes it much easier to
silently introduce things like load balancers later on if you ever need to
scale. It's also much easier to communicate to new users how to find this
resource. Once you migrate to IPv6 it becomes a very long address to tell
people as well.
> >
> > To answer your specific question, I would just do it with iptables if
you must continue accessing it by IP address. I will point out that the
service on the new IP address now has doubled its chances of going out of
service, because it depends on both machines running, even though the first
has nothing to do with it. Also, doing this with firewall rules isn't very
nice from a systems management perspective for the future, as it's not very
obvious what's going on with some server rewriting packets for another one.
If someone sees that in two years, are they going to know what to do? What
if they want to take server 1 down, and forget that it also disrupts 2?
Using DNS is much cleaner for these reasons.
> With iptables this could be tricky if everything is in the same LAN
> subnet, you will need to ensure you have both DNAT and SNAT otherwise
> you will have:
> PC ---> serverA:3000 ---DNAT----> serverB
> serverB ---replies---> PC
> PC ignores packet "i wasn't talking to you, i was talking to serverA"
>

I do have some experience with double NAT-ting, but thanks for the reminder
anyways :-)

> Also bear in mind that from serverB's perspective, all connections on
> port 3000 will appear to come from serverA.  I know that a VT based
> terminal server can  set up users based on their originating IP, which
> would previously have been a good detector of which terminal they are
> connecting from.
>

Luckily, to the best of my knowledge, the apps do not make such
distinction, so I can get away with such sleight of hand...

> Rather than using iptables on serverA, you may like to consider EBtables
> or IPtables on a server that sits in front of both serverA and serverB.
> this would act as a bridge, and rewrite packets for serverA on port 3000
> to go to serverB on port 3000
> or
> it could act as a router for NAT (iptables) if you change the ip subnet
> of serverA and serverB, and make the NAT box have the original IP of
serverA
> this would allow connections by IP to be tracked
>

Interesting... I'll consider that. Although not strictly needed, tracking
by IP will certainly be helpful.

Thank you for the tip!

[-- Attachment #2: Type: text/html, Size: 3108 bytes --]