17.7.1 Configuring Firewall Rules for Keepalived NAT-Mode Load Balancing

If you configure Keepalived to use NAT mode for load balancing with the servers on the internal network, the Keepalived server handles all inbound and outbound network traffic and hides the existence of the back-end servers by rewriting the source IP address of the real back-end server in outgoing packets with the virtual IP address of the external network interface.

To configure a Keepalived server to use NAT mode for load balancing:

  1. Configure NAT mode (masquerading) on the external network interface, for example:

    # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    # service iptables save
  2. If not already enabled for your firewall, configure forwarding rules between the external and internal network interfaces, for example:

    # iptables -A FORWARD -i eth0 -o eth1 -m state \
      --state RELATED,ESTABLISHED -j ACCEPT
    # iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
    # iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
    # service iptables save
  3. Enable access to the services or ports that you want Keepalived to handle.

    For example, to enable access to HTTP and make this rule persist across reboots, enter the following commands:

    # iptables -I INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
    # service iptables save