BestHub
Sign in
Operations 12 min read

How to Build a High‑Availability NAT Load Balancer with LVS and ipvsadm on Linux

This guide walks through planning a NAT architecture, preparing Linux hosts, configuring route and LVS servers, setting up real servers with httpd, creating an LVS NAT cluster, testing client access, and persisting ipvsadm rules for reliable load balancing.

Raymond Ops
Raymond Ops
Raymond Ops
How to Build a High‑Availability NAT Load Balancer with LVS and ipvsadm on Linux

1. NAT Architecture Diagram

2. Environment Preparation

2.1 Host Planning

<code>主机名  IP地址
route   LAN:192.168.87.132 WAN:192.168.10.12
lvs     LAN:192.168.87.131
rs-01   LAN:192.168.87.129
rs-02   LAN:192.168.87.130
client  WAN:192.168.10.4</code>

2.2 Linux route server configuration

2.2.1 Configure WAN IP address

<code># cat /etc/sysconfig/network-scripts/ifcfg-ens33
BOOTPROTO=static
IPADDR=192.168.10.12
PREFIX=24
GATEWAY=192.168.10.2 # gateway
DNS1=192.168.10.2</code>

2.2.2 Configure LAN IP address (rs same subnet)

<code># cat /etc/sysconfig/network-scripts/ifcfg-ens36
BOOTPROTO=static
IPADDR=192.168.87.132
PREFIX=24
GATEWAY=192.168.87.2</code>

2.2.3 Enable FORWARD

<code>echo "net.ipv4.ip_forward = 1" >>/etc/sysctl.conf
sysctl -p</code>

2.3 Linux LVS server configuration

2.3.1 Configure LAN IP address

<code># cat /etc/sysconfig/network-scripts/ifcfg-ens36
BOOTPROTO=static
IPADDR=192.168.87.131
PREFIX=24
GATEWAY=192.168.87.132 # router IP</code>

2.3.2 Add VIP (ens36:1)

<code>cp /etc/sysconfig/network-scripts/ifcfg-ens36 /etc/sysconfig/network-scripts/ifcfg-ens36:1
# edit /etc/sysconfig/network-scripts/ifcfg-ens36:1
BOOTPROTO=static
NAME=ens36:1
DEVICE=ens36:1
ONBOOT=yes
IPADDR=192.168.87.200
PREFIX=24</code>

2.3.3 Enable FORWARD

<code>echo "net.ipv4.ip_forward = 1" >>/etc/sysctl.conf
sysctl -p</code>

2.4 rs-01 server IP configuration

2.4.1 IP address

<code># cat /etc/sysconfig/network-scripts/ifcfg-ens33
BOOTPROTO=static
IPADDR=192.168.87.129
NETMASK=255.255.255.0
GATEWAY=192.168.87.131 # points to LVS LAN IP</code>

2.4.2 Add host route (not needed in production)

<code>route add -host 192.168.87.132 gw 192.168.87.200
# because using same subnet for NAT, without this the outbound route is missing
# 192.168.87.132 router IP, 192.168.87.200 VIP
route add -host client_ip gw route_ip</code>

2.5 rs-02 server IP configuration

2.5.1 IP address

<code># cat /etc/sysconfig/network-scripts/ifcfg-ens33
BOOTPROTO=static
IPADDR=192.168.87.130
PREFIX=24
GATEWAY=192.168.87.131 # points to LVS LAN IP</code>

2.5.2 Add host route (not needed in production)

<code>route add -host 192.168.87.132 gw 192.168.87.200
# same comment as above
route add -host client_ip gw route_ip</code>

2.6 Install httpd on rs-01 and rs-02

2.6.1 Install httpd

<code>yum install httpd -y</code>

2.6.2 Write homepage

<code>echo "rs-01" > /var/www/html/index.html   # on rs-01
echo "rs-02" > /var/www/html/index.html   # on rs-02</code>

2.6.3 Start httpd

<code>systemctl start httpd</code>

2.6.4 Test access

<code># curl 192.168.87.129
rs-01
# curl 192.168.87.130
rs-02</code>

3. Configure LVS NAT

3.1 Create LVS cluster

<code>ipvsadm -A -t 192.168.87.200:80 -s rr</code>

3.2 Add real servers to LVS cluster

<code>ipvsadm -a -t 192.168.87.200:80 -r 192.168.87.129:80 -m
ipvsadm -a -t 192.168.87.200:80 -r 192.168.87.130:80 -m</code>

3.3 Query cluster status

<code>ipvsadm -L -n
# Output shows TCP 192.168.87.200:80 rr with two real servers (192.168.87.129 and 192.168.87.130)</code>

4. Client test access (gateway address method)

4.1 Change gateway IP to router IP

<code># edit /etc/sysconfig/network-scripts/ifcfg-ens33
IPADDR=192.168.10.4
PREFIX=24
GATEWAY=192.168.10.12
DNS1=192.168.10.2
systemctl restart network</code>

4.2 Access VIP address

<code># curl 192.168.87.200:80
rs-02
# curl 192.168.87.200:80
rs-01</code>

5. Client test access (direct router IP method)

5.1 Remove client gateway

5.1.1 Delete GATEWAY

<code># edit /etc/sysconfig/network-scripts/ifcfg-ens33
BOOTPROTO=static
IPADDR=192.168.10.4
PREFIX=24
DNS1=192.168.10.2
# no GATEWAY field</code>

5.1.2 Restart network and test

<code>systemctl restart network
# curl 192.168.87.200:80
curl: (7) Failed to connect to 192.168.87.200: Network is unreachable</code>

5.2 Configure SNAT and DNAT on router

5.2.1 DNAT (incoming)

<code># forward router address 192.168.10.12 to VIP 192.168.87.200
iptables -t nat -A PREROUTING -d 192.168.10.12 -j DNAT --to 192.168.87.200
# forward port 80
iptables -t nat -A PREROUTING -d 192.168.10.12 -p tcp --dport 80 -j DNAT --to 192.168.87.200:80</code>

5.2.2 SNAT (outgoing)

<code># outbound: translate 192.168.10.0/24 to router 192.168.10.12
iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -j SNAT --to 192.168.10.12</code>

5.3 Test accessing router IP

<code># curl 192.168.10.12
rs-01
# curl 192.168.10.12
rs-02</code>

6. Persist ipvsadm configuration rules

6.1 Save configuration

<code>ipvsadm-save > /etc/sysconfig/ipvsadm</code>

6.2 Load or remove rules with systemctl

<code>systemctl start ipvsadm
systemctl stop ipvsadm</code>
Load BalancingnetworkLinuxNATLVSipvsadm
Raymond Ops
Written by

Raymond Ops

Linux ops automation, cloud-native, Kubernetes, SRE, DevOps, Python, Golang and related tech discussions.

0 followers
Reader feedback

How this landed with the community

login Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment