iptables load balancing using "nth"

iptables load balancing using "nth"

Post by jessica » Thu, 07 Feb 2008 01:45:04



Hello, I'm trying to make use of the 'nth' option in iptables to do
load balancing.

ie:
-A PREROUTING -i eth0 -p tcp --dport 80 -m state --state NEW -m nth --
counter 0 --every 4 --packet 0 -j DNAT --to-destination 10.0.0.5:80
-A PREROUTING -i eth0 -p tcp --dport 80 -m state --state NEW -m nth --
counter 0 --every 4 --packet 1 -j DNAT --to-destination 10.0.0.6:80
-A PREROUTING -i eth0 -p tcp --dport 80 -m state --state NEW -m nth --
counter 0 --every 4 --packet 2 -j DNAT --to-destination 10.0.0.7:80
-A PREROUTING -i eth0 -p tcp --dport 80 -m state --state NEW -m nth --
counter 0 --every 4 --packet 3 -j DNAT --to-destination 10.0.0.8:80

In order to make use of the 'nth', from what I understand, I need to
run patch-o-matic against my kernel source.  I'm using slackware 12.0,
with kernel 2.6.21.5-smp.  I'm using the source which I found in /usr/
src/linux (link to /usr/src/linux-2.6.21.5/

My questions/issues:

1) the latest/greatest POM I can find is pretty old:
ftp://ftp.netfilter.org/pub/patch-o-matic/patch-o-matic-20031219.tar.bz2
I tried a newer 'snapshot' from that same site, but had same problem
(in #2 below)

2) when I try to add the 'nth' patch, I always get the same error:

Testing patch base/nth.patch...
Warning - no help text file could be found in either
/usr/src/linux/net/ipv4/netfilter/Config.help
or /usr/src/linux/Documentation/Configure.help
fgrep: /usr/src/linux/net/ipv4/netfilter/Config.in: No
such file or directory
Could not find place to slot in Config.in line
TEST FAILED: patch NOT applied.

I verified, and the files mentioned/needed above are not there.

I've spent a few days on this, but not sure how to proceed.  I went
and downloaded a fresh version of my kernel:
http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.21.5.tar.bz2

I untarred that, and it didn't contain the files mentioned/missing
above either.

If anyone could provide some help, it would be great.

Thanks!

 
 
 

iptables load balancing using "nth"

Post by Andy Furnis » Thu, 07 Feb 2008 03:14:24



> Hello, I'm trying to make use of the 'nth' option in iptables to do
> load balancing.

Nth is in recent kernels as part of the statistic match.

You'll need to use -t nat in your rules.

I see you are doing DNAT so I guess they are your servers, but the
following may still apply.

Load balancing like this often doesn't work as web servers may use
multiple tcp connection for the same page and some won't permit
different addresses from the first request to access. I am thinking more
of SNAT here.

Andy.