I'm using iptables (smacks self for not mentioning this initially) as well.
Generally, I'm only allowing connections to either machine using directives
similar to:
iptables -A INPUT -i $IFACE -d $IP -p tcp --dport 80 -m state --state
NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $IFACE -s $IP -p tcp --sport 80 -m state --state
ESTABLISHED -j ACCEPT
My logging isn't catching any errors, but then again, I may simply be
dropping the ACKs to the realserver without logging them.
Does anyone have any suggestions for accomodating this within iptables? My
guess is it may be as simple as allowing the director to make connections
to
port 80 on the realserver without regard to the connection state? Is that
logic on the right track, or is there a more elegant (and secure) way to
accomplish this? I apologize if this ends up bleeding into an iptables
problem. ;)
Again, I appreciate the assistance.
> >director# tcpdump -ln -i OUTDEV host CIP -vvv
>
> # tcpdump -ln -i eth0 host 10.0.0.211 and port 80 -vvv
> Kernel filter, protocol ALL, datagram packet socket
> tcpdump: listening on eth0
> 09:48:05.181565 < 10.0.0.211.1542 > 192.168.0.190.www: S
> 516842430:516842430(0) win 5840 <mss 1460> (DF) (ttl 46, id 47014)
> 09:48:05.181741 > 10.0.0.211.1542 > 192.168.0.190.www: S
> 516842430:516842430(0) win 5840 <mss 1460> (DF) (ttl 46, id 47014)
> 09:48:05.258397 < 10.0.0.211.1542 > 192.168.0.190.www: .
By some reason the above ACK is not sent to the real server,
do you have any firewall rules on the director? The RS receives
only the first SYN and replies to it but no ACK is received.
> 516842431:516842431(0) ack 531827344 win 5840 (DF) (ttl 46, id 47015)
> 09:48:06.977440 < 10.0.0.211.1542 > 192.168.0.190.www: P 0:7(7) ack 1
win
> 5840 (DF) (ttl 46, id 47016)
