Hello,
On Tue, 17 Jul 2001, James O'Kane wrote:
> On Tue, 17 Jul 2001, Julian Anastasov wrote:
> > What is this rule?
>
> The state of FORWARD just before I got things working had just this rule:
> -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
Yes, this is too restrictive and does not match the LVS traffic.
The LVS connection states are not exported in this way. These rules are
for the Netfilter connections only.
> I added
>
> -A FORWARD -s 0/0 -d 0/0 -j ACCEPT
>
> And it worked. Looking back at my notes, I had
>
> -A FORWARD -i eth1 -j ACCEPT
Better use this (I assume eth1 is your internal device).
> written down, but it wasn't in the running rules. The default policy I
> had set through all of this was DROP. It currently works with the two I
> indended to have:
>
> -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -i eth1 -j ACCEPT
Look good
> I'm still learning how iptables works, so I'm not confident yet that what
> I'm doing is the most secure way to do things. After I play with things
> more, then I'm going to seek out someone who can look over my rules.
You are using too restrictive rules, do you really need them?
The LVS users that use Linux 2.2 are not powered with such firewall
rules but you can build secure setup even with simple rules. In some
cases even without firewall rules :)
> > http://marc.theaimsgroup.com/?l=linux-virtual-server&m=98296653726641&w=2
>
> Thanks for this pointer. I don't understand any of it this early in the
> morning, but I'll look at it some more later.
OK :) It covers internals, not user-space tools.
> -james
Regards
--
Julian Anastasov <ja@xxxxxx>
|