Am 20.11.2017 um 15:38 schrieb Hallvard Breien Furuseth: > I want a realserver to temporarily tell the load balancer to not > send new connections, but to keep old connections. This seems to > work, is it OK?
Why you just set its weight to zero? > LB_dip=111.22.33.44/31 # Load balancer - director > iptables -A INPUT -i eth0 -s $LB_dip -p tcp --syn -j REJECT \ > -m time --datestop 2017-11-20T18:30 > > Tunneling/Direct routing. LVS probes just connect and disconnect. > > I don't remember why the --syn is there, maybe we should drop it > for simplicity. The --datestop is because we'll forget to unblock > probes someday, and then we'd wonder why the server doesn't work. > > Should make an IPv6 version too. > > > > Full "minimal" iptables, interested in nothing but load balancing: > > LB_dip=111.22.33.44/31 # Load balancer - director > LB_vip=111.22.33.55 # Load balancer - virtual IP address > > # Handle most of the traffic early. Not needed in with these minimal rules. > -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT > > # Let through tunnel traffic from load balancer > -A INPUT -i eth0 -s $LB_dip -p 4 -j ACCEPT > -A INPUT -i tunl0 -j ACCEPT > > # LB_hook is usually empty > -N LB_hook > -A INPUT -j LB_hook > # Temporarily blocking new connections from load balancer. > -A LB_hook -i eth0 -s $LB_dip -p tcp --syn -j REJECT \ > -m time --datestop 2017-11-20T18:30 > > # Reject ipip tunnel traffic from elsewhere than $LB_dip > -A INPUT -p 4 -j DROP > > # Keep packets small enough to fit in a tunneled packet > -A OUTPUT -s $LB_vip -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN,ACK -j > TCPMSS --set-mss 1440 > > _______________________________________________ > Please read the documentation before posting - it's available at: > http://www.linuxvirtualserver.org/ > > LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org > Send requests to lvs-users-requ...@linuxvirtualserver.org > or go to http://lists.graemef.net/mailman/listinfo/lvs-users Mit freundlichen Grüßen, -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG,80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief Aufsichtsratsvorsitzender: Florian Kirstein
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Please read the documentation before posting - it's available at: http://www.linuxvirtualserver.org/ LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org Send requests to lvs-users-requ...@linuxvirtualserver.org or go to http://lists.graemef.net/mailman/listinfo/lvs-users
