Index: branches/fc11-dev/lvs/debian/config/etc/ha.d/ldirectord.cf =================================================================== --- branches/fc11-dev/lvs/debian/config/etc/ha.d/ldirectord.cf (revision 1121) +++ branches/fc11-dev/lvs/debian/config/etc/ha.d/ldirectord.cf (revision 1198) @@ -5,203 +5,33 @@ quiescent=no -virtual=18.181.0.46:25 +# iptables rules caused SMTP to use FWM 3 +virtual=3 real=18.181.0.53:25 gate 1024 real=18.181.0.57:25 gate 1024 - real=18.181.0.167:25 gate 512 - fallback=18.187.1.128:25 gate + real=18.181.0.167:25 gate 1024 service=smtp scheduler=wlc persistent=600 - protocol=tcp + protocol=fwm checktype=negotiate + checkport=25 -virtual=18.181.0.46:80 - real=18.181.0.53:80 gate 1024 - real=18.181.0.57:80 gate 1024 - real=18.181.0.167:80 gate 512 - fallback=127.0.0.1:80 gate - service=http - request="heartbeat/http" +# Apache (80, 443, and 444) uses FWM 2 +virtual=2 + real=18.181.0.53 gate 1024 + real=18.181.0.57 gate 1024 + real=18.181.0.167 gate 1024 + fallback=127.0.0.1 gate + service=http + request="heartbeat/http" virtualhost="scripts.mit.edu" - receive="1" - scheduler=wlc - persistent=600 - protocol=tcp - checktype=negotiate + receive="1" + checktype=negotiate + checkport=80 + scheduler=wlc + persistent=600 + protocol=fwm -virtual=18.181.0.46:443 - real=18.181.0.53:443 gate 1024 - real=18.181.0.57:443 gate 1024 - real=18.181.0.167:443 gate 512 - fallback=18.187.1.128:443 gate - service=https - request="heartbeat/https" - virtualhost="scripts.mit.edu" - receive="1" - scheduler=wlc - persistent=600 - protocol=tcp - checktype=negotiate - -virtual=18.181.0.46:444 - real=18.181.0.53:444 gate 1024 - real=18.181.0.57:444 gate 1024 - real=18.181.0.167:444 gate 512 - fallback=18.187.1.128:444 gate - service=https - request="heartbeat/https" - virtualhost="scripts.mit.edu" - receive="1" - scheduler=wlc - persistent=600 - protocol=tcp - checktype=negotiate - -virtual=18.181.0.43:25 - real=18.181.0.53:25 gate 1024 - real=18.181.0.57:25 gate 1024 - real=18.181.0.167:25 gate 512 - fallback=18.187.1.128:25 gate - service=smtp - scheduler=wlc - persistent=600 - protocol=tcp - checktype=negotiate - -virtual=18.181.0.43:80 - real=18.181.0.53:80 gate 1024 - real=18.181.0.57:80 gate 1024 - real=18.181.0.167:80 gate 512 - fallback=127.0.0.1:80 gate - service=http - request="heartbeat/http" - receive="1" - scheduler=wlc - persistent=600 - protocol=tcp - checktype=negotiate - -virtual=18.181.0.43:443 - real=18.181.0.53:443 gate 1024 - real=18.181.0.57:443 gate 1024 - real=18.181.0.167:443 gate 512 - fallback=18.187.1.128:443 gate - service=https - request="heartbeat/https" - virtualhost="scripts.mit.edu" - receive="1" - scheduler=wlc - persistent=600 - protocol=tcp - checktype=negotiate - -virtual=18.181.0.43:444 - real=18.181.0.53:444 gate 1024 - real=18.181.0.57:444 gate 1024 - real=18.181.0.167:444 gate 512 - fallback=18.187.1.128:444 gate - service=https - request="heartbeat/https" - virtualhost="scripts.mit.edu" - receive="1" - scheduler=wlc - persistent=600 - protocol=tcp - checktype=negotiate - -virtual=18.181.0.50:25 - real=18.181.0.53:25 gate 1024 - real=18.181.0.57:25 gate 1024 - real=18.181.0.167:25 gate 512 - fallback=18.187.1.128:25 gate - service=smtp - scheduler=wlc - persistent=600 - protocol=tcp - checktype=negotiate - -virtual=18.181.0.50:80 - real=18.181.0.53:80 gate 1024 - real=18.181.0.57:80 gate 1024 - real=18.181.0.167:80 gate 512 - fallback=127.0.0.1:80 gate - service=http - request="heartbeat/http" - receive="1" - scheduler=wlc - persistent=600 - protocol=tcp - checktype=negotiate - -virtual=18.181.0.50:443 - real=18.181.0.53:443 gate 1024 - real=18.181.0.57:443 gate 1024 - real=18.181.0.167:443 gate 512 - fallback=18.187.1.128:443 gate - service=https - request="heartbeat/https" - virtualhost="scripts.mit.edu" - receive="1" - scheduler=wlc - persistent=600 - protocol=tcp - checktype=negotiate - -virtual=18.181.0.50:444 - real=18.181.0.53:444 gate 1024 - real=18.181.0.57:444 gate 1024 - real=18.181.0.167:444 gate 512 - fallback=18.187.1.128:444 gate - service=https - request="heartbeat/https" - virtualhost="scripts.mit.edu" - receive="1" - scheduler=wlc - persistent=600 - protocol=tcp - checktype=negotiate - -virtual=18.181.0.49:80 - real=18.181.0.53:80 gate 1024 - real=18.181.0.57:80 gate 1024 - real=18.181.0.167:80 gate 512 - fallback=127.0.0.1:80 gate - service=http - request="heartbeat/http" - virtualhost="scripts.mit.edu" - receive="1" - scheduler=wlc - persistent=600 - protocol=tcp - checktype=negotiate - -virtual=18.181.0.49:443 - real=18.181.0.53:443 gate 1024 - real=18.181.0.57:443 gate 1024 - real=18.181.0.167:443 gate 512 - fallback=18.187.1.128:443 gate - service=https - request="heartbeat/https" - virtualhost="scripts.mit.edu" - receive="1" - scheduler=wlc - persistent=600 - protocol=tcp - checktype=negotiate - -virtual=18.181.0.49:444 - real=18.181.0.53:444 gate 1024 - real=18.181.0.57:444 gate 1024 - real=18.181.0.167:444 gate 512 - fallback=18.187.1.128:444 gate - service=https - request="heartbeat/https" - virtualhost="scripts.mit.edu" - receive="1" - scheduler=wlc - persistent=600 - protocol=tcp - checktype=negotiate - +# Everything else uses FWM 1 and gets sent only to the primary virtual=1 real=18.181.0.53 gate "heartbeat/services", "1" Index: branches/fc11-dev/lvs/debian/config/etc/inetd.conf =================================================================== --- branches/fc11-dev/lvs/debian/config/etc/inetd.conf (revision 1121) +++ branches/fc11-dev/lvs/debian/config/etc/inetd.conf (revision 1198) @@ -39,6 +39,3 @@ # Make it easy to remotely query these LVS servers -# Joe Presbrey -60001 stream tcp nowait nobody /usr/local/sbin/in.vs_main -60002 stream tcp nowait nobody /usr/local/sbin/in.vs_stat -60003 stream tcp nowait nobody /usr/local/sbin/in.vs_conn +79 stream tcp nowait root /sbin/ipvsadm Index: branches/fc11-dev/lvs/debian/config/etc/lighttpd/lighttpd.conf =================================================================== --- branches/fc11-dev/lvs/debian/config/etc/lighttpd/lighttpd.conf (revision 1121) +++ branches/fc11-dev/lvs/debian/config/etc/lighttpd/lighttpd.conf (revision 1198) @@ -3,4 +3,8 @@ "mod_magnet", ) + +server.max-connections=4096 +server.max-fds=9182 +server.max-read-idle=5 ## a static document-root, for virtual-hosting take look at the Index: branches/fc11-dev/lvs/debian/config/etc/munin/plugins/cps_1_0 =================================================================== --- branches/fc11-dev/lvs/debian/config/etc/munin/plugins/cps_1_0 (revision 1198) +++ branches/fc11-dev/lvs/debian/config/etc/munin/plugins/cps_1_0 (revision 1198) @@ -0,0 +1,268 @@ +#!/usr/bin/perl +# +# Plugin to monitor connections per second, for LVS loadbalancers. +# +# Magic name: +# +# cps_ +# cps__ +# +# Examples: +# +# cps_smtp +# cps_mail.foo.boo_smtp +# cps_pop3 +# cps_www.foo.boo_www +# cps_vvv.foo.boo_www +# +# Parameters understood: +# +# config (required) +# autoconf (optional - used by munin-config) +# suggest (optional - used by munin-config) +# +# $Log$ +# Revision 1.8 2004/12/10 18:55:14 jimmyo +# Removed hardcoded host_name in linux/cps_. +# +# Revision 1.7 2004/12/10 18:51:44 jimmyo +# linux/apt* has been forced to LANG=C, to get predictable output. +# +# Revision 1.6 2004/12/10 11:48:42 jimmyo +# linux/cps_ plugin now groks high numbers. +# +# Revision 1.5 2004/12/10 10:47:49 jimmyo +# Change name from ${scale} to ${graph_period}, to be more consistent. +# +# Revision 1.4 2004/12/09 22:12:56 jimmyo +# Added "graph_period" option, to make "graph_sums" usable. +# +# Revision 1.3 2004/11/21 00:16:57 jimmyo +# Changed a lot of plugins so they use DERIVE instead of COUNTER. +# +# Revision 1.2 2004/05/20 19:02:37 jimmyo +# Set categories on a bunch of plugins +# +# Revision 1.1 2004/01/02 18:50:01 jimmyo +# Renamed occurrances of lrrd -> munin +# +# Revision 1.1.1.1 2004/01/02 15:18:07 jimmyo +# Import of LRRD CVS tree after renaming to Munin +# +# Revision 1.4 2003/11/07 17:43:16 jimmyo +# Cleanups and log entries +# +# +# +# Magic markers - optional - used by installation scripts and munin-config: +# +#%# family=manual +#%# capabilities=autoconf suggest +# + +use strict; + +if ( defined $ARGV[0] and $ARGV[0] eq "autoconf" ) +{ + &autoconf (); +} +if ( defined $ARGV[0] and $ARGV[0] eq "suggest" ) +{ + my $sipvs; + $sipvs = &ipvs (".", ".", $sipvs); + exit 0 if $sipvs == undef; + &suggest ($sipvs); +} + +unless ($0 =~ /cps(?:_([^_]+)|)_(.+)\s*$/) +{ + die "Could not parse name $0.\n"; +} +my $vip = $1; +my $port = $2; +my $ipvs; + +#print "Name: $0\nPort: $port\nVip : $vip\n"; + +# Read ipvsadm-output + +$ipvs = &ipvs ($vip, $port, $ipvs); + +if ( defined $ARGV[0] and $ARGV[0] eq "dump" ) +{ + use Data::Dumper; + print Dumper($ipvs); +} + +if ( defined $ARGV[0] and $ARGV[0] eq "config" ) +{ + &config ($vip, $port, $ipvs); +} + +$vip = $vip || ""; +if (exists ($ipvs->{$vip}) and exists ($ipvs->{$vip}->{$port})) +{ + foreach my $host (sort keys %{$ipvs->{$vip}->{$port}}) + { + (my $fname = $host) =~ s/[.-]/_/g; + print "$fname.value ", $ipvs->{$vip}->{$port}->{$host}, "\n";; + } +} +else +{ + foreach my $vip (sort keys %{$ipvs}) + { + foreach my $host (sort keys %{$ipvs->{$vip}->{$port}}) + { + (my $fname = ($vip . "-" . $host)) =~ s/[.-]/_/g; + print "$fname.value ", $ipvs->{$vip}->{$port}->{$host}, "\n";; + } + } +} + +sub autoconf +{ + system ("/sbin/ipvsadm -L --stats >/dev/null 2>/dev/null"); + + if ($? == 0) + { + print "yes\n"; + exit 0; + } + elsif (($?>>8) == 2) + { + print "no (permission denied)\n"; + exit 1; + } + elsif ($? == 127) + { + print "no (ipvsadm not found)\n"; + exit 1; + } + else + { + print "no\n"; + exit 1; + } +} +sub suggest +{ + my $ipvs = shift; + exit 0 unless $ipvs; + + foreach my $vip (sort keys %{$ipvs}) + { + foreach my $port (sort keys %{$ipvs->{$vip}}) + { + print "cps_${vip}_$port\n"; + } + } + exit 0; +} + +sub config +{ + my $vip = shift; + my $port = shift; + my $ipvs = shift; + + print "graph_title Loadbalanced ",($vip?$vip:"*"),"->",$port," connections\n"; + print "graph_args -l 0\n"; + print "graph_total total\n"; + print "graph_vlabel connections / \${graph_period}\n"; + print "graph_category network\n"; + my $first=1; + $vip = $vip || ""; + if (exists ($ipvs->{$vip}) and exists ($ipvs->{$vip}->{$port})) + { + foreach my $host (sort keys %{$ipvs->{$vip}->{$port}}) + { + (my $fname = $host) =~ s/[.-]/_/g; + if ( $first == 1 ) + { + print "$fname.draw AREA\n"; + $first=0 + } + else + { + print "$fname.draw STACK\n"; + } + print "$fname.type DERIVE\n"; + $host =~ s/-bak//; + print "$fname.label $host\n"; + print "$fname.max 1000\n"; + print "$fname.min 0\n"; + } + } + else + { + foreach my $vip (reverse sort keys %{$ipvs}) + { + foreach my $host (sort keys %{$ipvs->{$vip}->{$port}}) + { + (my $fname = ($vip . "-" . $host)) =~ s/[.-]/_/g; + if ( $first == 1 ) + { + print "$fname.draw AREA\n"; + $first=0 + } + else + { + print "$fname.draw STACK\n"; + } + print "$fname.type DERIVE\n"; + $host =~ s/-bak//; + my $label = "$vip -> $host"; + $label =~ s/\.MIT\.EDU//g; + print "$fname.label $label\n"; + print "$fname.max 1000\n"; + print "$fname.min 0\n"; + } + } + } + exit 0; +} + +sub ipvs +{ + my $vip = shift; + my $port = shift; + my $ipvs = shift; + open (IPVS, "/sbin/ipvsadm -L --stats 2>/dev/null|") or return undef; + my $cvip = ""; + my $cport = ""; + while () + { + next if /^IP Virtual Server/; + next if /^Prot\s+LocalAddress/; + if (/^(\w+)\s+([\w\.-]+):([\w\d]+)\s+(\d+)[KMG]?\s+/) + { + $cvip = $2; + $cport = $3; + } + elsif (/^FWM\s+([\d]+)\s/) + { + $cvip = $1; + $cport = 0; + } + elsif (/^\s+->\s+([^:]+):(\S+)\s+(\d+)G\s+/) + { + $ipvs->{$cvip}->{$cport}->{$1} += ($3*1000000000); + } + elsif (/^\s+->\s+([^:]+):(\S+)\s+(\d+)M\s+/) + { + $ipvs->{$cvip}->{$cport}->{$1} += ($3*1000000); + } + elsif (/^\s+->\s+([^:]+):(\S+)\s+(\d+)K\s+/) + { + $ipvs->{$cvip}->{$cport}->{$1} += ($3*1000); + } + elsif (/^\s+->\s+([^:]+):(\S+)\s+(\d+)\s+/) + { + $ipvs->{$cvip}->{$cport}->{$1} += $3; + } + } + close (IPVS) or return undef; + return $ipvs; +} +# vim:syntax=perl Index: branches/fc11-dev/lvs/debian/config/etc/munin/plugins/cps_2_0 =================================================================== --- branches/fc11-dev/lvs/debian/config/etc/munin/plugins/cps_2_0 (revision 1198) +++ branches/fc11-dev/lvs/debian/config/etc/munin/plugins/cps_2_0 (revision 1198) @@ -0,0 +1,1 @@ +link cps_1_0 Index: branches/fc11-dev/lvs/debian/config/etc/munin/plugins/cps_3_0 =================================================================== --- branches/fc11-dev/lvs/debian/config/etc/munin/plugins/cps_3_0 (revision 1198) +++ branches/fc11-dev/lvs/debian/config/etc/munin/plugins/cps_3_0 (revision 1198) @@ -0,0 +1,1 @@ +link cps_1_0 Index: branches/fc11-dev/lvs/debian/config/etc/munin/plugins/cps_https =================================================================== --- branches/fc11-dev/lvs/debian/config/etc/munin/plugins/cps_https (revision 1121) +++ (revision ) @@ -1,1 +1,0 @@ -link cps_www Index: branches/fc11-dev/lvs/debian/config/etc/munin/plugins/cps_www =================================================================== --- branches/fc11-dev/lvs/debian/config/etc/munin/plugins/cps_www (revision 1121) +++ (revision ) @@ -1,263 +1,0 @@ -#!/usr/bin/perl -# -# Plugin to monitor connections per second, for LVS loadbalancers. -# -# Magic name: -# -# cps_ -# cps__ -# -# Examples: -# -# cps_smtp -# cps_mail.foo.boo_smtp -# cps_pop3 -# cps_www.foo.boo_www -# cps_vvv.foo.boo_www -# -# Parameters understood: -# -# config (required) -# autoconf (optional - used by munin-config) -# suggest (optional - used by munin-config) -# -# $Log$ -# Revision 1.8 2004/12/10 18:55:14 jimmyo -# Removed hardcoded host_name in linux/cps_. -# -# Revision 1.7 2004/12/10 18:51:44 jimmyo -# linux/apt* has been forced to LANG=C, to get predictable output. -# -# Revision 1.6 2004/12/10 11:48:42 jimmyo -# linux/cps_ plugin now groks high numbers. -# -# Revision 1.5 2004/12/10 10:47:49 jimmyo -# Change name from ${scale} to ${graph_period}, to be more consistent. -# -# Revision 1.4 2004/12/09 22:12:56 jimmyo -# Added "graph_period" option, to make "graph_sums" usable. -# -# Revision 1.3 2004/11/21 00:16:57 jimmyo -# Changed a lot of plugins so they use DERIVE instead of COUNTER. -# -# Revision 1.2 2004/05/20 19:02:37 jimmyo -# Set categories on a bunch of plugins -# -# Revision 1.1 2004/01/02 18:50:01 jimmyo -# Renamed occurrances of lrrd -> munin -# -# Revision 1.1.1.1 2004/01/02 15:18:07 jimmyo -# Import of LRRD CVS tree after renaming to Munin -# -# Revision 1.4 2003/11/07 17:43:16 jimmyo -# Cleanups and log entries -# -# -# -# Magic markers - optional - used by installation scripts and munin-config: -# -#%# family=manual -#%# capabilities=autoconf suggest -# - -use strict; - -if ( defined $ARGV[0] and $ARGV[0] eq "autoconf" ) -{ - &autoconf (); -} -if ( defined $ARGV[0] and $ARGV[0] eq "suggest" ) -{ - my $sipvs; - $sipvs = &ipvs (".", ".", $sipvs); - exit 0 if $sipvs == undef; - &suggest ($sipvs); -} - -unless ($0 =~ /cps(?:_([^_]+)|)_(.+)\s*$/) -{ - die "Could not parse name $0.\n"; -} -my $vip = $1; -my $port = $2; -my $ipvs; - -#print "Name: $0\nPort: $port\nVip : $vip\n"; - -# Read ipvsadm-output - -$ipvs = &ipvs ($vip, $port, $ipvs); - -if ( defined $ARGV[0] and $ARGV[0] eq "dump" ) -{ - use Data::Dumper; - print Dumper($ipvs); -} - -if ( defined $ARGV[0] and $ARGV[0] eq "config" ) -{ - &config ($vip, $port, $ipvs); -} - -$vip = $vip || ""; -if (exists ($ipvs->{$vip}) and exists ($ipvs->{$vip}->{$port})) -{ - foreach my $host (sort keys %{$ipvs->{$vip}->{$port}}) - { - (my $fname = $host) =~ s/[.-]/_/g; - print "$fname.value ", $ipvs->{$vip}->{$port}->{$host}, "\n";; - } -} -else -{ - foreach my $vip (sort keys %{$ipvs}) - { - foreach my $host (sort keys %{$ipvs->{$vip}->{$port}}) - { - (my $fname = ($vip . "-" . $host)) =~ s/[.-]/_/g; - print "$fname.value ", $ipvs->{$vip}->{$port}->{$host}, "\n";; - } - } -} - -sub autoconf -{ - system ("/sbin/ipvsadm -L --stats >/dev/null 2>/dev/null"); - - if ($? == 0) - { - print "yes\n"; - exit 0; - } - elsif (($?>>8) == 2) - { - print "no (permission denied)\n"; - exit 1; - } - elsif ($? == 127) - { - print "no (ipvsadm not found)\n"; - exit 1; - } - else - { - print "no\n"; - exit 1; - } -} -sub suggest -{ - my $ipvs = shift; - exit 0 unless $ipvs; - - foreach my $vip (sort keys %{$ipvs}) - { - foreach my $port (sort keys %{$ipvs->{$vip}}) - { - print "cps_${vip}_$port\n"; - } - } - exit 0; -} - -sub config -{ - my $vip = shift; - my $port = shift; - my $ipvs = shift; - - print "graph_title Loadbalanced ",($vip?$vip:"*"),"->",$port," connections\n"; - print "graph_args -l 0\n"; - print "graph_total total\n"; - print "graph_vlabel connections / \${graph_period}\n"; - print "graph_category network\n"; - my $first=1; - $vip = $vip || ""; - if (exists ($ipvs->{$vip}) and exists ($ipvs->{$vip}->{$port})) - { - foreach my $host (sort keys %{$ipvs->{$vip}->{$port}}) - { - (my $fname = $host) =~ s/[.-]/_/g; - if ( $first == 1 ) - { - print "$fname.draw AREA\n"; - $first=0 - } - else - { - print "$fname.draw STACK\n"; - } - print "$fname.type DERIVE\n"; - $host =~ s/-bak//; - print "$fname.label $host\n"; - print "$fname.max 1000\n"; - print "$fname.min 0\n"; - } - } - else - { - foreach my $vip (reverse sort keys %{$ipvs}) - { - foreach my $host (sort keys %{$ipvs->{$vip}->{$port}}) - { - (my $fname = ($vip . "-" . $host)) =~ s/[.-]/_/g; - if ( $first == 1 ) - { - print "$fname.draw AREA\n"; - $first=0 - } - else - { - print "$fname.draw STACK\n"; - } - print "$fname.type DERIVE\n"; - $host =~ s/-bak//; - my $label = "$vip -> $host"; - $label =~ s/\.MIT\.EDU//g; - print "$fname.label $label\n"; - print "$fname.max 1000\n"; - print "$fname.min 0\n"; - } - } - } - exit 0; -} - -sub ipvs -{ - my $vip = shift; - my $port = shift; - my $ipvs = shift; - open (IPVS, "/sbin/ipvsadm -L --stats 2>/dev/null|") or return undef; - my $cvip = ""; - my $cport = ""; - while () - { - next if /^IP Virtual Server/; - next if /^Prot\s+LocalAddress/; - if (/^(\w+)\s+([\w\.-]+):([\w\d]+)\s+(\d+)[KMG]?\s+/) - { - $cvip = $2; - $cport = $3; - } - elsif (/^\s+->\s+([^:]+):(\S+)\s+(\d+)G\s+/) - { - $ipvs->{$cvip}->{$cport}->{$1} += ($3*1000000000); - } - elsif (/^\s+->\s+([^:]+):(\S+)\s+(\d+)M\s+/) - { - $ipvs->{$cvip}->{$cport}->{$1} += ($3*1000000); - } - elsif (/^\s+->\s+([^:]+):(\S+)\s+(\d+)K\s+/) - { - $ipvs->{$cvip}->{$cport}->{$1} += ($3*1000); - } - elsif (/^\s+->\s+([^:]+):(\S+)\s+(\d+)\s+/) - { - $ipvs->{$cvip}->{$cport}->{$1} += $3; - } - } - close (IPVS) or return undef; - return $ipvs; -} -# vim:syntax=perl Index: branches/fc11-dev/lvs/debian/config/etc/network/if-up.d/iptables =================================================================== --- branches/fc11-dev/lvs/debian/config/etc/network/if-up.d/iptables (revision 1121) +++ branches/fc11-dev/lvs/debian/config/etc/network/if-up.d/iptables (revision 1198) @@ -1,21 +1,27 @@ #!/bin/sh ## Joe Presbrey +## Quentin Smith ## SIPB Scripts LVS Firewall marks iptables -F -t mangle +# Create a table for regular scripts hosts +iptables -t mangle -N scripts 2>/dev/null || : + +# scripts-vhosts.mit.edu +iptables -A PREROUTING -t mangle -d 18.181.0.46 -j scripts # scripts.mit.edu -iptables -A PREROUTING -t mangle -m tcp -m multiport -p tcp -d 18.181.0.46/31 --dports 25,80,443,444 -j MARK --set-mark 2 -iptables -A PREROUTING -t mangle -m mark --mark 0 -d 18.181.0.46/31 -j MARK --set-mark 1 +iptables -A PREROUTING -t mangle -d 18.181.0.43 -j scripts +# scripts-cert.mit.edu +iptables -A PREROUTING -t mangle -d 18.181.0.50 -j scripts -# scripts-new.mit.edu -iptables -A PREROUTING -t mangle -m tcp -m multiport -p tcp -d 18.181.0.43 --dports 25,80,443,444 -j MARK --set-mark 2 -iptables -A PREROUTING -t mangle -m mark --mark 0 -d 18.181.0.43 -j MARK --set-mark 1 +# Send Apache-bound traffic to FWM 2 (load-balanced) +iptables -A scripts -t mangle -m tcp -m multiport -p tcp --dports 80,443,444 -j MARK --set-mark 2 +# Send SMTP-bound traffic to FWM 3 (load-balanced) +iptables -A scripts -t mangle -m tcp -p tcp --dport 25 -j MARK --set-mark 3 +# Send everything else to FWM 1 (primary) +iptables -A scripts -t mangle -m mark --mark 0 -j MARK --set-mark 1 -# scripts-cert.mit.edu -iptables -A PREROUTING -t mangle -m tcp -m multiport -p tcp -d 18.181.0.50/31 --dports 25,80,443,444 -j MARK --set-mark 2 -iptables -A PREROUTING -t mangle -m mark --mark 0 -d 18.181.0.50/31 -j MARK --set-mark 1 - -# webzephyr.mit.edu -iptables -A PREROUTING -t mangle -m tcp -m multiport -p tcp -d 18.181.0.49 --dports 80,443 -j MARK --set-mark 2 +# webzephyr.mit.edu is special because its SMTP needs to always go to the primary (FWM 1) +iptables -A PREROUTING -t mangle -m tcp -m multiport -p tcp -d 18.181.0.49 --dports 80,443,444 -j MARK --set-mark 2 iptables -A PREROUTING -t mangle -m mark --mark 0 -d 18.181.0.49 -j MARK --set-mark 1