Re: help for VS-NAT with firewall functions ?

To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject: Re: help for VS-NAT with firewall functions ?
From: Horms <horms@xxxxxxxxxxxx>
Date: Fri, 27 Apr 2001 23:28:27 -0700
On Sat, Apr 28, 2001 at 07:29:12AM +0200, Alois Treindl wrote:
>  Help needed
>  -----------
>  This is the first time that I setup a LVS system, and
>  the first time that I setup a Linux firewall/packet filter.
>  Before that; I have setup packet filters only on Cisco routers; my
>  main work experience is with HPUX and not Linux.
>  Is my design prudent, and will it work?
>  (I chose this so that I do not need a separate firewall box).

Your design looks essentially sound to me, though you may want to consider
moving the RDBMs to a dedicated server. I'm not clear where the NFS server
is I assume this is to be w1 as well. This to might be better on a
different box.

It looks to me that the design should be reasonably straight forward to
implement, and should work quite well.

>  I would appreciate detailed help on configuring both,
>  the LVS configuration and the firewall/ipchains configuration.

I think the level of help you're after is beyond the scope of an email to a
list (hence I agree with your subsequent email offering to pay for help).

The LVS-mini-HOWTO and LVS-HOWTO, both available on provide good information on how to configure
LVS. has more configuration information and
prebuild/tested packages for deploying such systems.

As for ipchains, I would suggest "ipchains -P forward DENY" is a good
start. Beyond that you should also look at filtering packets on the input
chain to protect the Linux Director itself.


<Prev in Thread] Current Thread [Next in Thread>