[Firehol-support] firehol with ipvs (lvs) and synporxy

Tsaousis, Costa costa at tsaousis.gr
Thu Feb 26 00:52:37 GMT 2015

Just pushed of version of FireHOL that supports load balancing without IPVS.

This load balancing is now part of dnat, snat and redirect commands.

It works like this:

The template for dnat, for example, was:

dnat to IP[-IP]:PORT[-PORT] ...

Now you can add multiple such values (comma separated, or space
separated in quotes), like this:

dnat to "" ...
dnat to,, ...

The above will produce a round robin distribution. Of course you can
also give ports:

dnat to,,

To use weighted distribution, you just add weights, with a slash:

dnat to,,

So, will get 50% of the requests, will get 30%
and wil get 20%.
The weights do not need to sum 100. They are relative weights to each
other. FireHOL will sum the weights and give a percentage to each

synproxy supports these too (!)

Keep in mind that if you need persistence (i.e. each client to only
use one of the servers) this distribution (round robin or weighted)
does not provide it. My tests shown that the Linux kernel does not
keep persistence across multiple iptables statements. Only if
balancing can be achieved with just one iptables statement each client
will only use one server when persistence is requested to iptables.
FireHOL will give a warning if you request persistence that cannot be


On Wed, Feb 25, 2015 at 1:00 PM, Tsaousis, Costa <costa at tsaousis.gr> wrote:
> Hi all,
> I was trying to add IPVS (LVS) support to FireHOL.
> IPVS is a load balancer in the kernel. It can be used for both TCP and
> UDP traffic.
> Load balancing servers can also be achieved with DNAT, like this:
> dnat to persistent inface wan0 proto tcp dport 80
> This will load balance web servers to for all
> tcp/80 traffic sent to PUBLIC_IP.
> However, IPVS balancing has a few great features the DNAT method does not:
> 1. IPVS supports multiple algorithms for distributing traffic to real
> servers. DNAT does not. IPVS not only balances load on the real
> servers using multiple algorithms, but also supports balancing servers
> using different weights for each.
> 2. IPVS can add or remove real servers to/from the load balancer
> without restarting the firewall. So someone may add scripts to monitor
> the real servers and if a server goes down, IPVS can be re-configured
> to adapt. In the DNAT case, this is not possible. DNAT accepts only
> one range of IPs. If a server in the middle of the range goes down,
> DNAT balancing for the rest cannot be configured.
> Unfortunately, IPVS has its own connection tracker and by default does
> not cooperate with the iptables connection tracker. This can be fixed
> by setting /proc/sys/net/ipv4/vs/conntrack to 1.Once this is set to 1,
> iptables (and FireHOL) will be able to see the packets controlled by
> IPVS and manage its traffic like everything else.
> It is though said that enabling /proc/sys/net/ipv4/vs/conntrack wastes
> resources, since now there will be 2 connection trackers monitoring
> the traffic.
> Also, IPVS cannot work with SYNPROXY. There seems to be a kernel patch
> that enables this, but up to kernel 3.18, it does not seem to be
> integrated in the kernel.
> So, for IPVS to work with FireHOL there are 2 options:
> 1. Exclude all IPVS traffic from FireHOL. This can be done by adding a
> few iptables commands at the top of firehol.conf with '-j CT
> --notrack' (to disable the iptables connection tracker) and then
> iptables commands to ACCEPT IPVS traffic in the filter.FORWARD chain.
> This is the most efficient (less resource hungry) way.
> or
> 2. set /proc/sys/net/ipv4/vs/conntrack to 1, and use FireHOL for filtering it.
> This is the easiest and will not be a problem if you don't have
> several Gbps of such traffic.
> If you use IPVS and you have found any other way to work with it,
> please let us know...
> Costa

More information about the Firehol-support mailing list