Use iptables to deploy the NAT server load balancer service environment

Environment description: 1) set up Redhat9.0 environment in Vmware Eth0: 172.16.3.109/24; Gateway: 172.16.3.253; Eth1: 192.168.0.1/24; Gateway: none; 2) host Eth0: 172.16.3.99/24; Gateway: 172.16.3.253; 3) server AEth0: 192.168.0.10/24; gateway

Environment description:

1) build a Redhat 9.0 environment under Vmware
Eth0: 172.16.3.109/24; Gateway: 172.16.3.253;
Eth1: 192.168.0.1/24; Gateway: none;
2) host
Eth0: 172.16.3.99/24; Gateway: 172.16.3.253;
3) server
Eth0: 192.168.0.10/24; Gateway: 192.168.0.1; Web server installed;
4) server B
Eth0: 192.168.0.11/24; Gateway: 192.168.0.1; Web server installed;
5) testing machine
Eth0: 192.168.0.20/24; Gateway: 192.168.0.1;

Configuration steps:

1) Redhat 9.0 server configuration
All IPtables configurations can be placed in the rc. local file ,,
You can also write files independently, Grant executable permissions, and add them to the rc. local file.

A) enable IP forwarding
Cat 1>/proc/sys/net/ipv4/ip_forward

B) clear the original IPtables table
　Iptables-T filter-F
Iptables-t mangle-F
Iptables-t nat-F
Iptables-t filter-X
Iptables-t mangle-X
Iptables-t nat-X

C) set the default policy
The default policy is ACCEPT. we recommend that you set the policy to ACCEPT. you can set the data packet to DROP in the filter.
Iptables-t nat-P PREROUTING DROP
Iptables-t nat-P OUTPUT DROP
Iptables-t nat-P POSTROUTING DROP

D) set filtering for the filter table
(Omitted. no policy is set here .)

E) configure DNAT for The nat table
Iptables-t nat-a prerouting -- dst 172.16.3.109-p tcp -- dport 80-j DNAT -- to-destination 192.168.0.10-192.168.0.11
Forward all packets destined for port 80 of 172.16.3.109 to 192.168.0.10 and 192.168.0.11, that is, the target IP address is modified,
In this case, each stream is randomly assigned an address to be forwarded, but the same stream always uses the same address.
According to some articles, it will be automatically allocated to IP addresses with less traffic ..

F) configure SNAT for The nat table
Iptables-t nat-a postrouting-p tcp -- dst192.168.0.10 -- dport 80-j SNAT -- to-source192.168.0.1
Modify the source address of all packets from Port 80 to Port 192.168.0.10 to 192.168.0.1.

G) allowedServer load balancerServer Access 172.16.3.109
Iptables-t nat-a output -- dst 172.16.3.109-p tcp -- dport80-j DNAT -- to-destination 192.168.0.10

2) Configure Server A and server B
Pay attention to the following points on servers A and B:
A) Gateway points
Point the gateway to the server load balancer's internal network adapter: 192.168.0.1
B) file synchronization
Ensure the consistency of files in the main directory of the Web server. in Windows, you can use third-party tools such as DFS or PeerSync to synchronize files;
In Linux, you can use Sync, FTP, or network file system to ensure file synchronization.
C) database synchronization
You can use a third-party storage system, database replication technology, or a single database server.

3) other problems
A) monitor the running status of server load balancer
It is said that Mon monitoring can be used and has not been tested.
B) high availability of server load balancer
You can use Heartbeat software to implement HA.
C) overflow
The main load balancer cannot cope with excessive traffic requests.

About filtering:

For server load balancer instances only, the following filtering settings may not be necessary and may be more suitable for Gateway filtering.
For configuration of filter rules, see:
A) security knowledge: Brief description of iptables firewall;
B) security knowledge: LINUX2.4.x network security framework;

1) set the default table nat policy
Iptables-t nat-PPREROUTING DROP
Iptables-t nat-POUTPUT DROP
Iptables-t nat-PPOSTROUTING DROP

2) allow access to port Tcp22 from the intranet and internet
Iptables-t nat-APREROUTING-p tcp -- dport22-j ACCEPT
Iptables-AINPUT-p tcp -- dport 22-j ACCEPT
Iptables-AOUTPUT-p tcp -- sport 22-jACCEPT

3) allow internal access to external Tcp ports 80, 53, 1863, and 443
For PORT in 53 80 1863443 # add the following to open, separated by spaces
Do
Iptables-t nat-a prerouting-p tcp -- dport $ PORT-j ACCEPT
Iptables-a forward-p tcp -- dport $ PORT-j ACCEPT
Iptables-a forward-p tcp -- sport $ PORT-j ACCEPT
Done

4) allow internal access to Udp ports such as external 53
For PORT in53 # Add a space to the backend to be opened
Do
Iptables-t nat-a prerouting-p udp -- dport $ PORT-j ACCEPT
Iptables-AFORWARD-p udp -- dport $ PORT-j ACCEPT
Iptables-a forward-p udp -- sport $ PORT-j ACCEPT
Done

5) ping allowed
For TYPE in 8 0
Do
Iptables-t nat-a prerouting-p icmp -- icmp-type $ TYPE-j ACCEPT
Iptables-AFORWARD-p icmp -- icmp-type $ TYPE-jACCEPT
Done

6) disguised internal address
Do not forget the last step. because POSTROUTING is set to DROP by default, in addition, to facilitate external communication, outgoing packets must be disguised.
Iptables-t nat-a postrouting-o eth0-s 192.168.0.0/24-d0/0-j SNAT -- to-source 172.16.3.109

IPtables script:

The above scripts are described as follows.
[Root @ Director etc] # cat rc. local
#! /Bin/bash

Touch/var/lock/subsys/local

Echo 1>/proc/sys/net/ipv4/ip_forward

Iptables-t filter-F
Iptables-t mangle-F
Iptables-t nat-F

Iptables-t filter-X
Iptables-t mangle-X
Iptables-t nat-X

Iptables-P INPUT DROP
Iptables-P OUTPUT DROP
Iptables-P FORWARD DROP

Iptables-t nat-PPREROUTING DROP
Iptables-t nat-POUTPUT DROP
Iptables-t nat-P POSTROUTINGDROP

Iptables-a input-ilo-j ACCEPT
Iptables-a output-o lo-j ACCEPT

Iptables-t nat-a prerouting -- dst 172.16.3.109-p tcp -- dport 80-j DNAT -- to-destination 192.168.0.10
Iptables-t nat-a postrouting-p tcp -- dst192.168.0.10 -- dport 80-j SNAT -- to-source192.168.0.1
Iptables-t nat-a output -- dst 172.16.3.109-p tcp -- dport80-j DNAT -- to-destination 192.168.0.10

Iptables-t nat-a postrouting-o eth0-s 192.168.0.0/24-d 0/0-j SNAT -- to-source 172.16.3.109

Iptables-t nat-a prerouting-p tcp -- dport 22-jACCEPT
Iptables-AINPUT-p tcp -- dport 22-j ACCEPT
Iptables-AOUTPUT-p tcp -- sport 22-jACCEPT

For PORT in 53 80
Do
Iptables-t nat-APREROUTING-p tcp -- dport $ PORT-j ACCEPT
Iptables-AFORWARD-p tcp -- dport $ PORT-j ACCEPT
Iptables-AFORWARD-p tcp -- sport $ PORT-j ACCEPT
Done

For PORT in 53
Do
Iptables-t nat-APREROUTING-p udp -- dport $ PORT-j ACCEPT
Iptables-AFORWARD-p udp -- dport $ PORT-j ACCEPT
Iptables-AFORWARD-p udp -- sport $ PORT-j ACCEPT
Done

For TYPE in 8 0
Do
Iptables-t nat-APREROUTING-p icmp -- icmp-type $ TYPE-j ACCEPT
Iptables-AFORWARD-p icmp -- icmp-type $ TYPE-jACCEPT
Iptables-AFORWARD-p icmp -- icmp-type $ TYPE-jACCEPT
Done

Postscript:

The above filter rules are loose and can be more restrictive. In addition, the statements can be more refined.