* dst nat failover only while port is closed
@ 2015-03-13 3:15 Stefan Certic
2015-03-13 7:52 ` Arturo Borrero Gonzalez
0 siblings, 1 reply; 3+ messages in thread
From: Stefan Certic @ 2015-03-13 3:15 UTC (permalink / raw)
To: netfilter
Hello World :)
I am interested in following scenario with iptables (if such is possible).
Setup:
1. Ext Firewall nats port Z to server A.
2. Application X listens on port Z of server A
3. It happens that application X crashes for a couple of seconds and
get's restarted by a monit.
Question:
Is it possible to perform Nat on server A itself, to server B, that
will took place only until application is restarted (only while no one
is listening on port Z) otherwise expose port Z to back to
application.
Reason:
The idea is to provide a failover, uninterrupted service even when app
crash occurs.
P.S. Please without "why you are this and that..." questions instead
suggestions. I need it the way i need it, questions are if it is
possible, and, if yes, how :)
P.P.S. It's tcp traffic, non persistant connections.
Thanks for help in advance!
Best Regards,
--
Stefan Certic
Chief Technology Officer
stefan@cs-networks.net
--------------------------
CS Network Solutions Limited
84 High Street, Southall, Middlesex, UB1 3DB. United Kingdom
London Switchboard: +442071933539
Belgrade Operations: +38112448755
Web: www.cs-networks.net
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: dst nat failover only while port is closed
2015-03-13 3:15 dst nat failover only while port is closed Stefan Certic
@ 2015-03-13 7:52 ` Arturo Borrero Gonzalez
2015-03-13 14:45 ` Michael Vallaly
0 siblings, 1 reply; 3+ messages in thread
From: Arturo Borrero Gonzalez @ 2015-03-13 7:52 UTC (permalink / raw)
To: Stefan Certic; +Cc: Netfilter Users Mailing list
On 13 March 2015 at 04:15, Stefan Certic <stefan@cs-networks.net> wrote:
> Hello World :)
>
> I am interested in following scenario with iptables (if such is possible).
>
> Setup:
>
> 1. Ext Firewall nats port Z to server A.
> 2. Application X listens on port Z of server A
> 3. It happens that application X crashes for a couple of seconds and
> get's restarted by a monit.
>
> Question:
>
> Is it possible to perform Nat on server A itself, to server B, that
> will took place only until application is restarted (only while no one
> is listening on port Z) otherwise expose port Z to back to
> application.
>
> Reason:
>
> The idea is to provide a failover, uninterrupted service even when app
> crash occurs.
I think this is what LVS does.
You can configure a loadbalancer which listen on a virtual address.
Then, you have several real servers in the backend. The LVS can do
health checks and deliver connection to real servers in the backend if
they are alive.
Your "firewall --> server A --> server B" architecture seems very weird.
best regards.
--
Arturo Borrero Gonz√°lez
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: dst nat failover only while port is closed
2015-03-13 7:52 ` Arturo Borrero Gonzalez
@ 2015-03-13 14:45 ` Michael Vallaly
0 siblings, 0 replies; 3+ messages in thread
From: Michael Vallaly @ 2015-03-13 14:45 UTC (permalink / raw)
To: Arturo Borrero Gonzalez; +Cc: Stefan Certic, Netfilter Users Mailing list
AFAIK There isn't any functionality for this in netfilter directly. The best I think you could do with solely iptables would be instrument your monit/startup scripts to alter your iptable rules pre/post action. (Turning your local application machine into a router with NAT may not be desired)
With LVS you would also need to enable some sort of monitoring to modify the LVS node weights (ldirectord), which will still require periodic polling.
A much better approach in this case would be to use a proxy (such as HAproxy), which will allow you to "redirect" the request to a working node, if the local process has failed, or is unresponsive.
-Mike
On Fri, 13 Mar 2015 08:52:32 +0100
Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> wrote:
> On 13 March 2015 at 04:15, Stefan Certic <stefan@cs-networks.net> wrote:
> > Hello World :)
> >
> > I am interested in following scenario with iptables (if such is possible).
> >
> > Setup:
> >
> > 1. Ext Firewall nats port Z to server A.
> > 2. Application X listens on port Z of server A
> > 3. It happens that application X crashes for a couple of seconds and
> > get's restarted by a monit.
> >
> > Question:
> >
> > Is it possible to perform Nat on server A itself, to server B, that
> > will took place only until application is restarted (only while no one
> > is listening on port Z) otherwise expose port Z to back to
> > application.
> >
> > Reason:
> >
> > The idea is to provide a failover, uninterrupted service even when app
> > crash occurs.
>
> I think this is what LVS does.
>
> You can configure a loadbalancer which listen on a virtual address.
> Then, you have several real servers in the backend. The LVS can do
> health checks and deliver connection to real servers in the backend if
> they are alive.
>
> Your "firewall --> server A --> server B" architecture seems very weird.
>
> best regards.
>
> --
> Arturo Borrero González
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
Michael Vallaly <mvallaly@nolatency.com>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2015-03-13 14:45 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-03-13 3:15 dst nat failover only while port is closed Stefan Certic
2015-03-13 7:52 ` Arturo Borrero Gonzalez
2015-03-13 14:45 ` Michael Vallaly
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.