|
I have a full ipchains firewall script, which works (includes port
forwarding), and a stripped-down ipchains script just for LVS, and they
each work fine separately. When I merge them, I can't reach even just
the firewall box. As I mentioned, I suspect this is because of the
virtual interfaces required by LVS.
I ran into a problem like this when adding firewall rules to my LVS ipchains
script. The problem I had was due to the order of the rules.
Remember that once a packet matches a rule in a chain it is kicked out of
the chain--it doesn't matter if it is an ACCEPT or REJECT rule(packets may
never get to your FWMARK rules, for example, if they do not come before your
ACCEPT and REJECT tests).
I am using virtual interfaces as well (eg, eth1:1) but, as Julian points
out, I had no reason to apply ipchains rules to a specific virtual interface
(even with an ipchains script that is several hundred lines long!)
--L
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com
|
