LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: testing iptables filter rules

To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject: Re: testing iptables filter rules
From: Roberto Nibali <ratz@xxxxxx>
Date: Fri, 25 May 2001 13:25:30 +0200
> > Well, this highly depends on the deployed architecture:
> > LVS_DR or LVS_NAT.
> 
> yes, the implemenation will change a little bit, but the approach
> will be the same.

I'm not sure, with LVS_NAT you need masq rules and don't necessarily
need to protect the real servers. IMHO it is quite a difference to
setup the filter rules for LVS_DR vs. LVS_NAT.
 
> with VS-DR they're connected to the outside world via
> the router. Shouldn't I make it as difficult as possible
> for someone who gains access to the LVS or doing a DoS
> to send packets from one machine to another in the LVS?

The router should take care of this whenever possible.
Only allow traffic to the VIP and whatever you need additionally.

But you're right to protect the real servers. If possible, filter
rules should be put on real server (Linux, Solaris, *BSD, HP/UX,
AIX) and there you only accept connections to the LVS service and 
the maintainance service. Maybe I should now write up some example
for the HOWTO ...

Best regards,
Roberto Nibali, ratz
 
-- 
mailto: `echo NrOatSz@xxxxxxxxx | sed 's/[NOSPAM]//g'`


<Prev in Thread] Current Thread [Next in Thread>