firewall + loadbalancer on the same machine

Roberto Nibali ratz at
Tue Aug 3 13:13:37 BST 2004


>>> I would like to know: Is it possible to run iptables firewall and ipvs
>>> loadbalancer on the same machine.
>> This has been the subject of much discussion on this list and is covered
>> extensively in the HOWTO. How about you save your questions till after 
>> you've
>> read up on the matter.
> I think that is why I did not get a clear answer.

Is this clear enough or does it raise more questions? We would like to 
know so we can improve on the documentation.

> I think it does not work, I was just looking for other ipvs users to 
> backup that answer.

Out of the box it does not work, correct. But patches exist to make it 
work. You seem to have neglected to mention

a) your kernel version
b) your LVS forwarding method

both points have different outcomes in answering your question to its 
full extent. 2 examples, randomly picked:

LVS-NAT with the nfct patch will work for 2.4.x and 2.6.x kernels 
regarding filtering, iif you don't use fwmark

LVS-DR will most probably not work with 2.6.8 and above kernels 
regarding filtering since the tcp window tracking patch has been merged 
to the vanilla tree; however there is a relaxation sysctl that could 
revert the strict TCP window and sequence number checking to the 
loosly-knitted one (aka: non-existant) as previously found in vanilla 
Linux kernels.

Roberto Nibali, ratz
