17.7.1 Configuring Firewall Rules for Keepalived NAT-Mode Load Balancing

If you configure Keepalived to use NAT mode for load balancing with the servers on the internal network, the Keepalived server handles all inbound and outbound network traffic and hides the existence of the back-end servers by rewriting the source IP address of the real back-end server in outgoing packets with the virtual IP address of the external network interface.

To configure a Keepalived server to use NAT mode for load balancing:

  1. Configure the firewall so that the interfaces on the external network side are in a different zone from the interfaces on the internal network side.

    The following example demonstrates how to move interface enp0s9 to the internal zone while interface enp0s8 remains in the public zone:

    # firewall-cmd --get-active-zones
    public
      interfaces: enp0s8 enp0s9
    # firewall-cmd --zone=public --remove-interface=enp0s9
    success
    # firewall-cmd --zone=internal --add-interface=enp0s9
    success
    # firewall-cmd --permanent --zone=public --remove-interface=enp0s9
    success
    # firewall-cmd --permanent --zone=internal --add-interface=enp0s9
    success
    # firewall-cmd --get-active-zones
    internal
      interfaces: enp0s9
    public
      interfaces: enp0s8
  2. Configure NAT mode (masquerading) on the external network interface, for example:

    # firewall-cmd --zone=public --add-masquerade
    success
    # firewall-cmd --permanent --zone=public --add-masquerade
    success
    # firewall-cmd --zone=public --query-masquerade
    yes
    # firewall-cmd --zone=internal --query-masquerade
    no
  3. If not already enabled for your firewall, configure forwarding rules between the external and internal network interfaces, for example:

    # firewall-cmd --direct --permanent --add-rule ipv4 filter FORWARD 0 \
      -i enp0s8 -o enp0s9 -m state --state RELATED,ESTABLISHED -j ACCEPT
    success
    # firewall-cmd --direct --permanent --add-rule ipv4 filter FORWARD 0 \
      -i enp0s9 -o enp0s8 -j ACCEPT
    success
    # firewall-cmd --direct --permanent --add-rule ipv4 filter FORWARD 0 \
      -j REJECT --reject-with icmp-host-prohibited
    success
    # firewall-cmd --reload
  4. Enable access to the services or ports that you want Keepalived to handle.

    For example, to enable access to HTTP and make this rule persist across reboots, enter the following commands:

    # firewall-cmd --zone=public --add-service=http
    success
    # firewall-cmd --permanent --zone=public --add-service=http
    success