Arch Linux

apterix

Member

Registered: 2015-06-28

Posts: 4

iptables load balance local ports

Hey!

I have two app servers that use one port each.

For example:
Java 1 port 2771
Java 2 port 2772

The connections are been made to 2771 (java client standard)

The problem is that this java server does not has good support above a certain number of connections (because app implementation problems).

So I need to start new instances (Java 2 for example) to do balance between this servers. The best way is using iptables statistics/nth module to do the round robin. The problem is it did not work.

See above which rules I tried.

iptables -t nat -A PREROUTING -p tcp --dport 2771 -m state --state NEW -m statistic --mode nth --every 2 --packet 0 -j DNAT --to-destination 127.0.0.1:2771
iptables -t nat -A PREROUTING -p tcp --dport 2771 -m state --state NEW -m statistic --mode nth --every 1 --packet 0 -j DNAT --to-destination 127.0.0.1:2772

What is wrong? What is missing?

PS: I would like to use statistics modules. Of course I can write a crontab rule to change route every minute, but if round robin is ready to use, I want to try this. I know this balance is not a perfect balance, but for a emergency it will be a solution.

brebs

Member

Registered: 2007-04-03

Posts: 3,742

Re: iptables load balance local ports

--every 1 --packet 0

That should probably be:

--every 2 --packet 1

apterix

Member

Registered: 2015-06-28

Posts: 4

Re: iptables load balance local ports

Worked. Do you know what "every" and "packet" parameters mean?

brebs

Member

Registered: 2007-04-03

Posts: 3,742

Re: iptables load balance local ports

See explanation in:

man iptables-extensions

apterix

Member

Registered: 2015-06-28

Posts: 4

Re: iptables load balance local ports

See explanation in:

man iptables-extensions

Thank you!

I have another question.

I tried to did this in two ways:

1st)
iptables -t nat -A PREROUTING -p tcp --dport 2771 -m state --state NEW -m statistic --mode nth --every 2 --packet 0 -j DNAT --to-destination localhost:2771
iptables -t nat -A PREROUTING -p tcp --dport 2771 -m state --state NEW -m statistic --mode nth --every 2 --packet 0 -j DNAT --to-destination localhost:2772

2nd)
iptables -t nat -A PREROUTING -p tcp --dport 2771 -m state --state NEW -m statistic --mode random --probability 0.5 -j DNAT --to-destination localhost:2771
iptables -t nat -A PREROUTING -p tcp --dport 2771 -m state --state NEW -m statistic --mode random --probability 0.5 -j DNAT --to-destination localhost:2772

In 1st mode I saw 3:1 rate (3 to 2771 and 1 to 2772).
In 2nd mode I saw 2:1 rate (2 to 2771 and 1 to 2772).

Of course I have to consider users disconnected, but I'm following this and I still see these proportions.

Anyone know why it is happen?

branch

Member

Registered: 2014-03-16

Posts: 209

Re: iptables load balance local ports

The rules are applied independently, and the result of matching the first rule is that same as the result of matching neither rule (packet goes to port 2771).

1st)
pkt1:  matches first rule (packet == 0 for this rule) -> 2771
pkt2:  does not match 1st rule (packet == 1)
          does match 2nd rule (packet == 0) -> 2772
pkt3:  matches first rule (packet == 0) -> 2771
pkt4: does not match 1st rule (packet == 1)
         does not match 2nd rule (packet == 1)
         no DNAT -> 2771

2nd)
rule1: 50% match -> 2771, 50% do not match -> next rule
rule2: 50% of remaining 50% (25% total) match -> 2772, remaining (25% of total) -> next rule
default: remaining 25% of total -> 2771

I'll give you two options I think will fix it:
1) In either case remove the first rule (the one that DNAT's to 2771). Why DNAT to the original destination?

OR

2) In either case remove the statistic match from the second rule (the one that DNAT's to 2772) so that it matches all packets to 2771 that did not match the first rule.