|
Sometimes LVS-DR realservers have clients which need
to connect to hosts on the internet, eg a squid realserver
needs to connect from RIP (not VIP) to 0/0:80.
In my configure script, currently
I block all connections from RIP to 0/0.
I now want to let out all packets to 0/0:80
say but to DROP or REJECT other packets from RIP to 0/0:!80.
Horms suggested the following code (here shown connecting
from RIP to 0/0:telnet, since connecting with telnet is
easy to test)
#mark packet
iptables -t mangle -A OUTPUT -p tcp -s ${RIP}/32 -d 0/0 --dport telnet -j MARK
--set-mark 1
This marks the packets to 0/0:23.
I can then route packets with fwmark 1,
and I get what I want. I want to extend this to
o mark packets from RIP to multiple services on the internet
o DROP or REJECT the rest of the packets to 0/0
What I tried to do was to set up another chain (3_tier) and send all
allowed packets to it, to DROP the rest and mark all packets that
get to the 3_tier chain.
#create table
iptables -N 3_tier
#packets from the realserver to hosts on the internet are sent to another
#chain where they will be marked.
#here packets to 0/0:23 and 0/0:80 are sent to a new chain
iptables -A OUTPUT -p tcp -s ${RIP}/32 -d 0/0 --dport telnet -j 3_tier
iptables -A OUTPUT -p tcp -s ${RIP}/32 -d 0/0 --dport http -j 3_tier
.
. (other services)
.
#drop all other packets destined for 0/0
iptables -A OUTPUT -p tcp -s ${RIP}/32 -d ! ${RIP_NETWORK}/24 -j DROP
#fine so far. All the packets I want are sent to chain 3_tier, the rest are
dropped
#Now mark packets sent to chain 3_tier
iptables -t mangle -A 3_tier -j MARK --set-mark 1
I get "No chain/target/match by that name"
If I leave out "-t mangle" I get an error at the console saying
"MARK can only be called from mangle table"
Any suggestions anyone?
Thanks Joe
--
Joseph Mack PhD, Senior Systems Engineer, Lockheed Martin
contractor to the National Environmental Supercomputer Center,
mailto:mack.joseph@xxxxxxx ph# 919-541-0007, RTP, NC, USA
|
