>>> On 1/27/2012 at 03:18 PM, Dimitri Maziuk <[email protected]> wrote: 
> On 01/27/2012 02:48 PM, David Gersic wrote:
>>>>> On 1/27/2012 at 02:37 PM, Dimitri Maziuk <[email protected]> wrote: 
> 
>>> Why not make it static? 
>> 
>> Yeah, I could, but I didn't want to. I wanted to make it part of the
> resource group so it'll even be there if I add a new cluster node and
> move the group to it.
> 
> Fair enough. Rewriting iptables rules in a script is not something I'd
> recommend, though.

No guts, no glory?

Anyway, there are only two of them, and they're not all that complicated:

iptables -t nat -A PREROUTING -i eth3 -p tcp --destination 131.156.21.44 
--dport 443 -j DNAT --to 10.0.0.1:8443

iptables -t nat -A PREROUTING -i eth3 -p tcp --destination 131.156.21.44 
--dport 80 -j DNAT --to 10.0.0.1:8080

I can use a couple of IPaddr2 RAs to bind 10.0.0.1 and 131.156.21.44 to eth3, 
so no problems there. Then I just need to add the rules to iptables. On the 
stop action, deleting the rules shouldn't be any big deal to do with "iptables 
-t nat -D PREROUTING ...".

So I guess I'll be writing an RA for this. I'll think some more about it over 
the weekend, but I'm thinking that the interface (eth3), external ip 
(131.156.21.44), external port (80), internal ip (10.0.0.1) and internal port 
(8080) should be the required parameters. The rest can be hard coded in the RA 
script. I'm looking at the 'portblock' RA as a possible starting point, though 
it may be easier to start from scratch.

Actions start and stop should be easy enough. Actions status and monitor don't 
really make any sense, though, so I'm not sure what I'll do with those.



_______________________________________________
Linux-HA mailing list
[email protected]
http://lists.linux-ha.org/mailman/listinfo/linux-ha
See also: http://linux-ha.org/ReportingProblems

Reply via email to