|
Howdy all-
I was checking out iptables 1.2.3 when I came across this interesting
patch:
http://cvs.samba.org/cgi-bin/cvsweb/netfilter/userspace/patch-o-matic/st
ring.patch
It allows one the ability to write iptable rules like this:
$IPTABLES -I INPUT -p tcp --dport 80 -m string --string .exe? -m
tate --state ESTABLISHED -j REJECT --reject-with tcp-reset
I was initially investigating this as a quick and dirty way of blocking
Nimda from my network (all linux, but I still didn't want that nasty
little guy flying around on my samba servers) at my firewall, but then
it occured to me that I could also use this in combination with a
fwmark-based LVS system to provide pseudo-L7 loadbalancing capabilities.
In my case I want to loadbalance a set of named based virtual hosts all
differently, some need SSL, some don't, some I only want balanced off
two servers instead of three.
Has anyone played with this patch? I don't have a lab or the equipment
to setup a test system, but I figure that with all the intelligent LVS
users out there, someone must have tried this patch already ;)
Thanks again,
Zack
|
