LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: testing iptables filter rules

To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx, ratz@xxxxxx
Subject: Re: testing iptables filter rules
From: Joseph Mack <mack.joseph@xxxxxxx>
Date: Mon, 21 May 2001 10:37:59 -0400
Roberto Nibali wrote:
> 
> Hi Joe,
> 
> Just came back from Florida 

you must be in culture shock.

> > I'm adding filter rules to the configure script. The rules
> > are layered this way
> >
> > top layer: if packet for VIP -j lvs_rules
> > lvs_rules: if packet for lvs service_1 (eg telnet) -j ACCEPT
> >            if packet for lvs service_2 (eg http) - j ACCEPT
> >
> > I've done it in two layers so that I can add to lvs_rules as
> > each service is configured.
> 
> Good idea. Did you add the policy DENY to INPUT and OUTPUT chains?

later, just doing the early steps first, I did it the first time and was 
frozen out of my director, apparently because my rules aren't working. 
I'll put it back in later.

> 
> > If I now telnet to the VIP in a working LVS, I would expect packets
> > to go through the telnet rule in lvs_rules, but if I list the
> > number of packets with
> >
> > $iptables -L -v
> >
> > I see packets only in the INPUT and OUTPUT chains, but not in FORWARD or
> > or in lvs_rules chains. Have I done something wrong?
> 
> Hmm, how does the ruleset look like? If you're dealing with netfilter,
> packets don't travel through all chains anymore. Julian once wrote
> something about it:
> 
> packets coming from outside to the LVS do:
> 
>         PRE_ROUTING -> LOCAL_IN(LVS in) -> POST_ROUTING
> 
> packets leaving the LVS travel:
> 
>         PRE_ROUTING -> FORWARD(LVS out) -> POST_ROUTING

that would explain it. 

> >From the iptables howto:
> COMPATIBILITY WITH IPCHAINS
>        This iptables is very similar to ipchains  by  Rusty  Rus­
>        sell.   The  main  difference is that the chains INPUT and
>        OUTPUT are only traversed  for  packets  coming  into  the
>        local  host  and  originating  from the local host respec­
>        tively.  Hence every packet only passes through one of the
>        three  chains;  previously  a  forwarded packet would pass
>        through all three.

I don't know whether that's an improvement or not, but it sure makes it
hard to keep up with the changes.

> > I remember reading that you can test your filter rules by running a command
> > with the parameters of some hypothetical packet and the output will show
> > the path through the rules. I can't find it in the iptables HOWTO's or with
> > google. Anyone know how to do this?
> 
> It's the same syntax as with ipchains, more or less, iptables -C should work.
> Funny enough, I wasn't able to find it in my man-page

It's in the ipchains man page I see, but it's an "unknown arg" for iptables.

> So if you write it to
> Rusty and send a patch you get at least 10 credit points an will have a place
> in his hall of fame :)

let me think about it ;-\

> > Julian, Ratz,
> >         Are you guys planning on adding stats by service to the code 
> > sometime?
> 
> It's there unless I don't understand the 'by service'. It's the lines below
> Virtual Service. Are you looking for something else?

Yes this is just what I'm looking for (I'd forgotten what was in there).
You can't expect me to know about these details - 
I mean it's not even in the HOWTO :-)

Can I zero out these counters if I want to get rates, 
or should I store the last count?
 
Joe
-- 
Joseph Mack PhD, Senior Systems Engineer, Lockheed Martin
contractor to the National Environmental Supercomputer Center, 
mailto:mack.joseph@xxxxxxx ph# 919-541-0007, RTP, NC, USA


<Prev in Thread] Current Thread [Next in Thread>