Red Hat Docs > Manuals > Red Hat High Availability Server Manuals > |
Red Hat Linux 6.2: The Official Red Hat High Availability Server Installation Guide | ||
---|---|---|
Prev | Chapter 8. Linux Virtual Server (LVS) | Next |
The LVS routers require Red Hat High Availability Server 1.0 or greater, and the type of routing you choose must be supported by your kernel/module configuration.
With NAT routing, packet forwarding, packet defragmenting, and IP masquerading must be enabled on the LVS routers.
Enable packet forwarding. To do this at system boot, make sure the file /etc/sysctl.conf contains the line net.ipv4.ip_forward = 1. To enable packet forwarding without rebooting, as root issue this command:
echo 1 > /proc/sys/net/ipv4/ip_forward |
Enable packet defragmenting. To do this at system boot, make sure the file /etc/sysctl.conf contains the line net.ipv4.ip_always_defrag = 1. To enable packet defragmenting without rebooting, as root issue this command:
echo 1 > /proc/sys/net/ipv4/ip_always_defrag |
To enable IP masquerading, issue this command:
ipchains -A forward -j MASQ -s n.n.n.n/type -d 0.0.0.0/0 |
where:
n.n.n.n is the address of the private subnet to which the real servers are connected.
type is 8, 16, 24, or 32, indicating the address type and mask:
netmask | type | Subnet ~~~~~~~~~~~~~~~~|~~~~~~|~~~~~~~~~~~~~~~ 255.0.0.0 | 8 | Class A 255.255.0.0 | 16 | Class B 255.255.255.0 | 24 | Class C 255.255.255.255 | 32 | Point-to-point |
You will probably want to put the ipchains command in an init script (e.g., /etc/rc.d/rc.local), so that masquerading is configured on the LVS routers at system startup.
ipchains is the tool used to create and manage firewalling rules set in the kernel's TCP stack. Masquerading is a small subset of these rules that allow machines making use of private IP networks to communicate with the outside world. Using ipchains can have an impact on system security. If you have security concerns, read the ipchains HOWTO (http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO.html).
On each real server, establish a tunnel between it and each virtual server address. For example, these commands establish two tunnels (tunl0 and tunl1) to two virtual server addresses (1.2.3.1 and 1.2.3.2):
ifconfig tunl0 1.2.3.1 up ifconfig tunl1 1.2.3.2 up |
To prevent real servers, rather than the active router, from intercepting ARP broadcasts, you also need to hide tunnels from ARP broadcasts. For example, these commands hide tunnels tunl0 and tunl1:
echo 1 > /proc/sys/net/ipv4/conf/all/hidden echo 1 > /proc/sys/net/ipv4/conf/tunl0/hidden echo 1 > /proc/sys/net/ipv4/conf/tunl1/hidden |
On each real server, enable a route to each virtual server address. For example, the following command aliases virtual server 1.2.3.1 to adapter eth0:
ifconfig eth0:0 1.2.3.1 up |
You also need to hide virtual server routes from ARP broadcasts. For example, these commands hide any virtual server addresses on device eth0:
echo 1 > /proc/sys/net/ipv4/conf/all/hidden echo 1 > /proc/sys/net/ipv4/conf/eth0/hidden |