Red Hat ENTERPRISE LINUX AS 2.1 Installation Manual page 128

128
Although iptables is the default network packet filtering mechanism un-
der the 2.4 kernel, it cannot be used concurrently with ipchains. If you
attempt to /sbin/modprobe ip_tables and the ipchains module
is already loaded, the kernel will issue an error and fail to start iptables.
The inverse of this statement is also true. To see which modules are loaded,
type /sbin/lsmod.
You are free to choose either iptables or ipchains as the network
packet filter for the LVS routers, but be aware that iptables is preferred
and that support for ipchains is not guaranteed in future releases.
Below are rules which assign the same firewall mark, 80, to incoming traffic destined for the floating
IP address, n.n.n.n, on ports 80 and 443. For instructions on assigning the VIP to the public network
interface, see Section 9.6.1, The
and load the module for either iptables or ipchains before issuing rules for the first time.
iptables
/sbin/modprobe ip_tables
/sbin/iptables -t mangle -A PREROUTING -p tcp \
/sbin/iptables -t mangle-A PREROUTING -p tcp \
ipchains
/sbin/modprobe ipchains
/sbin/ipchains -A input -p tcp -d n.n.n.n /32 80 -m 80
/sbin/ipchains -A input -p tcp -d n.n.n.n /32 443 -m 80
In the above network packet filter commands, n.n.n.n should be replaced with the floating IP for your
HTTP and HTTPS virtual servers. These commands have the net effect of assigning any traffic ad-
dressed to the VIP on the appropriate ports a firewall mark of 80, which in turn is recognized by IPVS
and forwarded appropriately.
Chapter 8:Setting Up a Red Hat Enterprise Linux AS LVS Cluster
Important
VIRTUAL SERVER
-d n.n.n.n /32 \
--dport 80 -j MARK --set-mark 80
-d n.n.n.n /32 \
--dport 443 -j MARK --set-mark 80
Subsection. Also note that you must log in as root