LVS
lvs-users
[Top] [All Lists]
Google
 
Web LinuxVirtualServer.org
<prev [Date] next> <prev [Thread] next>

ldirectord appears to cause iptable traversal issue

from [Brian Jenkins] [Permanent Link]
To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject: ldirectord appears to cause iptable traversal issue
From: Brian Jenkins <bjenkins@xxxxxxxxx>
Date: Mon, 23 Oct 2006 17:57:45 -0700 
Hi all:
I'm running lvs on my firewall and everything works well. However, when I run ldirectord a strange thing happens when packets traverse my script's INPUT chain. When a packet hits a rule on the INPUT chain that attempts to match on destination address, firewall mark, or certain other fields, the packet does not get accepted, when it should, and, instead skips to the end of the chain and gets acted on in a manner consistent with the default policy. I can't for the life of me figure out what ldirectord is doing to the packet to cause this behavior. My system is as follows: 

OS:
SuSE 10.1

Firewall Script (relevant parts):
iptables -A INPUT -p tcp -d $EXT_WEB_SITE_IP -j LOG --log-level $LG_LVL --log-prefix "INPUT packet 1 " 
iptables -A INPUT -p tcp -d $EXT_WEB_SITE_IP -j ACCEPT
iptables -A INPUT -p tcp -d $EXT_WEB_SITE_IP -j LOG --log-level $LG_LVL --log-prefix "INPUT packet 2 "
iptables -A OUTPUT -p tcp -d $INT_WEB_SITE_IP -j LOG --log-level $LG_LVL --log-prefix "OUTPUT packet 1 " 
iptables -A OUTPUT -o $INT_IF -p tcp -j ACCEPT

iptables -A FORWARD -o $EXT_IF -j ACCEPT

iptables -t mangle -A PREROUTING -d $EXT_WEB_SITE_IP -j MARK --set-mark 1

iptables -t nat -A POSTROUTING -s $INT_NET -j MASQUERADE

firewall2:/etc/rc.d # iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
LOG tcp -- anywhere firewall2 LOG level notice prefix `INPUT packet 1 ' 
ACCEPT     tcp  --  anywhere             firewall2
LOG tcp -- anywhere firewall2 LOG level notice prefix `INPUT packet 2 ' 

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy DROP)
target     prot opt source               destination
LOG tcp -- anywhere X.X.X.189 LOG level notice prefix `OUTPUT packet 1 ' 
ACCEPT     tcp  --  anywhere             anywhere

firewall2:/etc/rc.d # ipvsadm -L -n
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
 -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
FWM  1 rr
 -> X.X.X.190:80              Masq    0      0          0
 -> X.X.X.189:80              Masq    0      1          0
Again, if I update the LVS table by using IPLVSADM within the firewall script, instead of ldirectord, everything works fine. 

Many thanks for any help that you can give.

Brian
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Using LVS with squid cluster, Mark de Vries
Next by Date:  Re: ldirectord appears to cause iptable traversal issue, Joseph Mack NA3T
Previous by Thread:  heartbeat-2.0.7 crm restarting ldirectord constantly :(, Klavs Klavsen
Next by Thread:  Re: ldirectord appears to cause iptable traversal issue, Joseph Mack NA3T
Indexes:  [Date] [Thread] [Top] [All Lists]