On Wed, Apr 6, 2016 at 11:34 PM, Lukas Erlacher <[email protected]> wrote:
> Addendum: > > On the load balancer, > > iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT > > will match *all* packets (for example the packets of your SSH connection, > since there is undoubtedly a socket for those SSH packets), at least it > does on my system; this is much nicer IMO: > > iptables -t mangle -A PREROUTING -p tcp -m socket --transparent -j DIVERT > > The addition of --transparent restricts the matching to packets going to > transparent sockets, which are the packets sent back to the load balancer > from the backend. > > The end result may be pretty much the same (lots of packets end up being > delivered locally, some of which would have been dropped because they > aren't carrying a destination IP address that is actually on the load > balancer), but it's much less invasive. > > Again, if you don't have a dedicated IP for the load balancer (you > probably should have, because you probably want a virtual IP for failover), > you can just match the port instead. > > Best, > Luke > > Thanks Lukas, I find this very useful and think the details provided in both your emails are worth updating the blog post or coming up with new one if update is not possible. Cheers, Igor
