|
Hi
for three years, I have been running a LVS NAT setup with absolutely no
problems, with the director under a Linix 2.2 kernel and using ipchains
for firewalling.
Now I am moving to Redhat Enterprise Linux 3, with a 2.4 kernel.
I have had to convert my ipchains rules to iptables.
For the pure packet filtering on the director it works, but the
NAT / masquerading business gives me trouble. Apparently, I do not
understand it, and need some help.
|
|real IP=$DEP, virtual IP=$VIP
+----eth1------------+
| |
| director |
| |
+----eth0------------+
| IP=w0=10.1.1.254
|
|--------------------------------- to other real servers w2,w3,w4
| IP=w1=1.1.1
+----eth0------------+
| |
| real server w1 |
| |
+--------------------+
Example, for ssh service (all ssh connections should go to real server w1
only)
IPVSADM=/sbin/ipvsadm
${IPVSADM} -C
${IPVSADM} -A -t $VIP:ssh -s rr
${IPVSADM} -a -t $VIP:ssh -r $W1:ssh -m -w 1
iptables rules:
---------------
IT=/sbin/iptables
# policy rules
${IT} -F
${IT} -t nat -F
${IT} -X
${IT} -P INPUT DROP
${IT} -P FORWARD DROP
${IT} -P OUTPUT DROP
# allow ssh to come in
${IT} -A INPUT -j ACCEPT -i eth1 -p tcp -s 0/0 --sport 1024:65535 -d $VIP
--dport 22
# general input/output rules
${IT} -A OUTPUT -o eth1 -j ACCEPT
${IT} -A INPUT -i eth0 -j ACCEPT
${IT} -A OUTPUT -o eth0 -j ACCEPT
# catch the rest for loggin
${IT} -A INPUT -j DROP-AND-LOG
${IT} -A FORWARD -j DROP-AND-LOG
${IT} -A OUTPUT -j DROP-AND-LOG
QUESTIONS
---------
1. is the above correct?
2. which - if any - NAT / MASQUERADE / FORWARD rules do I need to add?
How it was with kernel 2.2 and ipchains:
----------------------------------------
/sbin/ipchains -A input -j ACCEPT -i eth1 -p tcp -s 0/0 1024:65535 -d $VIP 22
/sbin/ipchains -A forward -i eth1 -s $W1 22 -d $MY_NETWORK -p tcp -j MASQ
|
