|
Graeme Fowler said the following on 08/13/2012 02:11 PM:
[CUT]
> You're using LVS-NAT. The only place the VIP is present in the usual
> usage of this is in the external (client-facing) interface of the
> director.
Ok. thank you for clarifying. So the external Ip would be in the OUTPUT
chain, and I could filter more specificly there (unless I get state
working - which would be preferable :)
>> Also - for some reason there's no state - so I had to allow ALL packages
>> with source-port of 80 or 443 in the FORWARD chain.
> ipvs works in tandem with netfilter (is part of it nowadays,
> effectively), so state is recorded in the usual way in the conntrack
> tables. If yours isn't, then you may be using an old enough kernel that
> this doesn't happen or you don't have the appropriate netfilter modules
> loaded.
It's CentOS 6 - 2.6.32-220.el6.x86_64
Is that too old?
These modules are loaded:
nf_conntrack_ipv4 9506 4
nf_defrag_ipv4 1483 1 nf_conntrack_ipv4
nf_conntrack_ipv6 8748 2
nf_defrag_ipv6 12182 1 nf_conntrack_ipv6
nf_conntrack 79453 3 nf_conntrack_ipv4,nf_conntrack_ipv6,xt_state
ipv6 322029 38
ip_vs,ip6t_REJECT,nf_conntrack_ipv6,nf_defrag_ipv6
Thank you for your help.
--
Regards,
Klavs Klavsen, GSEC - kl@xxxxxxx - http://www.vsen.dk - Tlf. 61281200
"Those who do not understand Unix are condemned to reinvent it, poorly."
--Henry Spencer
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
|
