|
On Tue, Oct 10, 2000 at 03:30:51PM +0200, joern maier wrote:
> sorry for posting again, but this time my questions are simple:
>
> using LVS and direct routing:
>
> if my director is a firewall as well using ipchains
> in which chain (input, forward, ouput) can I find (and filter)
> the packages which are forwarded to the realservers ?
> This question may sound stupid but running my director on eth0:110
> and having both the output and forward chain configured like this
>
> # ipchains -P output DENY
> # ipchains -P forward DENY
>
> and no rules in any of them (using the -F option). Traffic is still
> forwarded to the servers.
>
> do I have to do a special setup because of the virtual IP address ?
> I didn´t find anything on the man page of ipchains.
This is most likely an effect of LVS being grafted onto the ip_masq code in
the kernel. In genereal using ip_masq causes the forwarding chain to be
bypased. I'm not sure why the output rule is not taking effect but from my
experience with marking packets with firewall-marks in the input chain I
would suggest that putting your rules there may give you the effect you are
after.
--
Horms
|
