Re: [lvs-users] LVS Open Proxy Problem

To: " users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: [lvs-users] LVS Open Proxy Problem
From: "Ahmad Amran Kapi" <r0kawa@xxxxxxxxx>
Date: Tue, 16 Sep 2008 07:42:11 +0800
 Below is the info that I can give you, please let me know what
details do you need to have to debug this info.
The servers is only for web server load balancing + high availability
using heartbeat. The director server acting also as a real server and
only have 2 servers using 3 IP . 1 is for VIP and 2 for Real IP .

[root@luigi ~]# cat /etc/redhat-release
CentOS release 5 (Final)
[root@luigi ~]# uname -a
Linux luigi 2.6.18-53.1.14.el5 #1 SMP Wed Mar 5 11:36:49 EST 2008 i686
i686 i386 GNU/Linux

[root@mario ~]# ipvsadm --version
ipvsadm v1.24 2003/06/07 (compiled with popt and IPVS v1.2.0)

iptables is empty and what I can think of is the default sysctl.conf
is allow IP forwarding because of LVS DR setting

    # Change the default TTL to help obscure OS fingerprinting
    net.ipv4.ip_default_ttl = 128

  # Enable packet forwarding
   net.ipv4.ip_forward = 1

  # hide lo to make lo didnt answer arp request
  net.ipv4.conf.all.arp_ignore = 1
  net.ipv4.conf.eth0.arp_ignore = 1
  net.ipv4.conf.all.arp_announce = 2
  net.ipv4.conf.eth0.arp_announce = 2

At first I though that my server has been hacked, but after I check
other site with the same setting (I've 2 setup in different location)
the result is the same. Local user can use the LVS server to become a
proxy. Any suggestion where I need to look into ?


On Mon, Sep 15, 2008 at 4:27 PM, Graeme Fowler <graeme@xxxxxxxxxxx> wrote:
> Ahmad
> On Mon, 2008-09-15 at 14:51 +0800, Ahmad Amran Kapi wrote:
>> I've setup LVS successfully using LVS-DR  with two servers . The
>> problem however because of some company policy, we're blocking some
>> website from our internal user, but the user can skip this blocking by
>> using the LVS server. e.g
>> They have setup browser to use LVS ip using port 80 to use in their
>> browser. Is there any way I can block user to use my LVS server from
>> using it as a proxy ?
> I think you need to give us more information - your LVS clearly isn't
> frontending a bunch of mail servers, for example!
> What are you load balancing - squid, apache, something else?
> Whatever it is it sounds as though this is an application issue, not
> LVS.
> Graeme
> _______________________________________________
> mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to

Ahmad Amran Kapi
Art In Software Sdn Bhd
Suite 2.5 Inkubator K-Ekonomi
75450 Ayer Keroh
06-2322464 / 013-6102545

<Prev in Thread] Current Thread [Next in Thread>