LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: testing iptables filter rules

To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx, Roberto Nibali <ratz@xxxxxx>
Subject: Re: testing iptables filter rules
From: Joseph Mack <mack.joseph@xxxxxxx>
Date: Thu, 24 May 2001 16:39:57 -0400
Roberto Nibali wrote:

 
>        Hence every packet only passes through one of the
>        three  chains;  previously  a  forwarded packet would pass
>        through all three.

works much better now :-)

> Did you add the policy DENY to INPUT and OUTPUT chains?

well no. On the director I'm only adding rules for the device
carrying the VIP. I tell it to accept packets for each VIP:service
and to REJECT all others. I haven't thought how to handle
the OUTPUT chain yet, since it could be on the same device 
or it could be on another NIC. For the moment I'm leaving
the real-server network unfiltered.

When packets get to the real-servers, they are filtered with
the same rules as for the director (it's the same piece
of code being run again). Here I filter for the packets
arriving on the real-server's network device and with dest=VIP.

Should I still have DENY on INPUT and OUTPUT?

Joe

-- 
Joseph Mack PhD, Senior Systems Engineer, Lockheed Martin
contractor to the National Environmental Supercomputer Center, 
mailto:mack.joseph@xxxxxxx ph# 919-541-0007, RTP, NC, USA


<Prev in Thread] Current Thread [Next in Thread>