LVS
lvs-users
[Top] [All Lists]
Google
 
Web LinuxVirtualServer.org
<prev [Date] next> <prev [Thread] next>

Re: firewall for lvs question

from [Roberto Nibali] [Permanent Link]
To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject: Re: firewall for lvs question
From: Roberto Nibali <ratz@xxxxxxxxxxxx>
Date: Tue, 16 Oct 2001 19:15:42 +0200 
Hello,

> > properly. But as I'm setting up the firewall (iptables), I noticed that
> > iptables wont let me add ip alias
> 
> this is a standard ip_tables problem. I think you just put eth0 in the
> command rather than eth0:54 (or whatever)

Ok, this is a problem of understanding of the 'ip alias' concept since
late 2.1.1?? kernels. We do not have a struct *dev for a ip alias
anymore.
An ip alias is nothing then a secondary ip which can be bound to the
physical
or dummy interface or generally to a service. The name eth0:54 is just a
label and the kernel doesn't give a flying monkeys shit about this. You
can also name it eth0:LVS_rocks, if you want. Check out the difference
of
following trace and see why you _shouldn't_ use old obsolete tools like 
ifconfig and route anymore:

schtinkphish:~ # ip addr show dev eth0
3: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:50:04:50:64:58 brd ff:ff:ff:ff:ff:ff
    inet 172.23.2.3/16 brd 172.23.255.255 scope global eth0
schtinkphish:~ # ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 00:50:04:50:64:58
          inet addr:172.23.2.3  Bcast:172.23.255.255  Mask:255.255.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:651904 errors:0 dropped:0 overruns:0 frame:0
          TX packets:274593 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          Interrupt:7 Base address:0xd000

schtinkphish:~ # ifconfig eth0:10 1.1.1.1 up
schtinkphish:~ # ifconfig eth0:10
eth0:10   Link encap:Ethernet  HWaddr 00:50:04:50:64:58
          inet addr:1.1.1.1  Bcast:1.255.255.255  Mask:255.0.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:7 Base address:0xd000

schtinkphish:~ # ip addr show dev eth0
3: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:50:04:50:64:58 brd ff:ff:ff:ff:ff:ff
    inet 172.23.2.3/16 brd 172.23.255.255 scope global eth0
    inet 1.1.1.1/8 brd 1.255.255.255 scope global eth0:10
schtinkphish:~ # ip addr show dev eth0 label eth0:10
    inet 1.1.1.1/8 brd 1.255.255.255 scope global eth0:10
schtinkphish:~ # ip addr add 1.1.1.2/32 dev eth0 label eth0:LVS_rocks
schtinkphish:~ # ip addr show dev eth0
3: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:50:04:50:64:58 brd ff:ff:ff:ff:ff:ff
    inet 172.23.2.3/16 brd 172.23.255.255 scope global eth0
    inet 1.1.1.1/8 brd 1.255.255.255 scope global eth0:10
    inet 1.1.1.2/32 scope global eth0:LVS_rocks
schtinkphish:~ # ifconfig eth0:LVS_rocks
eth0:LVS_ Link encap:Ethernet  HWaddr 00:50:04:50:64:58
          inet addr:1.1.1.2  Bcast:0.0.0.0  Mask:255.255.255.255
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:7 Base address:0xd000

schtinkphish:~ # ip addr add 1.1.1.3/32 dev eth0
schtinkphish:~ # ip addr show dev eth0
3: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:50:04:50:64:58 brd ff:ff:ff:ff:ff:ff
    inet 172.23.2.3/16 brd 172.23.255.255 scope global eth0
    inet 1.1.1.1/8 brd 1.255.255.255 scope global eth0:10
    inet 1.1.1.2/32 scope global eth0:LVS_rocks
    inet 1.1.1.3/32 scope global eth0
schtinkphish:~ # ifconfig
eth0      Link encap:Ethernet  HWaddr 00:50:04:50:64:58
          inet addr:172.23.2.3  Bcast:172.23.255.255  Mask:255.255.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:652082 errors:0 dropped:0 overruns:0 frame:0
          TX packets:274624 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          Interrupt:7 Base address:0xd000

eth0:10   Link encap:Ethernet  HWaddr 00:50:04:50:64:58
          inet addr:1.1.1.1  Bcast:1.255.255.255  Mask:255.0.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:7 Base address:0xd000

eth0:LVS_ Link encap:Ethernet  HWaddr 00:50:04:50:64:58
          inet addr:1.1.1.2  Bcast:0.0.0.0  Mask:255.255.255.255
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:7 Base address:0xd000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:238 errors:0 dropped:0 overruns:0 frame:0
          TX packets:238 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0

schtinkphish:~ #

Ok, so where the hell did 1.1.1.3/32 go? This is very dangerous since
the interface will be accepting packets destined for 1.1.1.3/32 on eth0.

And Joe is right, put eth0 instead of eth0:54. I hope this makes sense
now. Anyway, you should put the narrowest possible network for
filtering,
in the best case policy DROP and ACCEPT only for RELATED, NEW,
ESTABLISHED
for the VIP. Even better is to setup a good routing (takes a lot of time
but is the fastest solution to packet filtering) where your policy rule
is to blackhole everything and only do rules for allowed traffice. This
is the future of Linux packetfiltering and firewalling :)

Best regards,
Roberto Nibali, ratz

-- 
echo
'[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq' |
dc
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: lvs setup via tunelling problem, Djamil ESSAISSI
Next by Date:  Re: firewall for lvs question, Julian Anastasov
Previous by Thread:  Re: firewall for lvs question, mack@xxxxxxxxxxxx
Next by Thread:  Re: firewall for lvs question, Julian Anastasov
Indexes:  [Date] [Thread] [Top] [All Lists]