LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: [lvs-users] TCP Connection Sync Problems RHEL

To: "'LinuxVirtualServer.org users mailing list.'" <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: [lvs-users] TCP Connection Sync Problems RHEL
From: "Frank Kirschner" <frank@xxxxxxxxxxxx>
Date: Thu, 31 Jul 2014 11:47:49 +0200
> -----Original Message-----
> From: lvs-users-bounces@xxxxxxxxxxxxxxxxxxxxxx 
> [mailto:lvs-users-bounces@xxxxxxxxxxxxxxxxxxxxxx] On Behalf 
> Of Timo Schöler
> Sent: Wednesday, July 30, 2014 6:51 PM
> To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Subject: Re: [lvs-users] TCP Connection Sync Problems RHEL
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> On 07/30/2014 04:35 PM, Lloyd Brown wrote:
> > 
> > On 07/30/2014 01:44 AM, Frank Kirschner wrote:
> >> Lloyd,
> >> 
> >> hmm, it's senseless doubled but please can you try out 
> what happens 
> >> if you add on 1st line:
> >> 
> >> # /sbin/iptables -I INPUT -m state --state 
> NEW,RELATED,ESTABLISHED -j 
> >> ACCEPT # /sbin/service iptables save
> > 
> > 
> > Frank,
> > 
> > I can try it, but I'm not sure what you're expecting to 
> see.  I have a 
> > working setup, so without understanding what you're expecting to 
> > happen, I'm not sure what to look for.
> > 
> > And there is already this one in the stock setup:
> > 
> >> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> > 
> > While it's not exactly the same, the only difference would be the 
> > "NEW" flag.  I'm not sure what benefit that would be, other than 
> > accepting all new connections (if I'm understanding the flag 
> > correctly).  While this would probably work for at least 
> some of the 
> > stuff I'm doing, it seems excessively open.  I could also flush all 
> > the tables (iptables -F), and get it working, but it doesn't mean I 
> > want to leave my server quite so open and unprotected.
> > 
> > 
> > 
> >> 
> >> Do you have any OUTPUT rules in your iptables set?
> > 
> > Nope.  I've checked all 4 tables (raw, mangle, nat, filter) 
> that I can 
> > find that have an OUTPUT chain, and there doesn't seem to 
> be anything 
> > in any of them.  I certainly hadn't done it on purpose, and 
> it doesn't 
> > seem to be a part of the stock RHEL setup.
> > 
> > 
> >> After disabeling SeLINUX do you have reboot the system?
> > 
> > Yes.  You do need to reboot to disable SELinux.  And I did.  And it 
> > didn't have any effect, as far as I could tell.
> 
> Hi, that is not entirely true. One can disable SELinux at 
> runtime for quite a while now:
> 
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterpri
> se_Linux/5/html/Deployment_Guide/sec-sel-enable-disable-enforc
> ement.html
> 
> >> hope that helps, best regards Frank
> 
> Best,


Sorry, have not seen the ESTABLISHED,RELATED line in front of your fw table
set.
I want to go safe to have all states (also additional NEW) in this rules.

best regards
Frank


_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

<Prev in Thread] Current Thread [Next in Thread>