|
Hello,
On Wed, 6 Feb 2002, Abe Schwartz wrote:
> I'm using iptables (smacks self for not mentioning this initially) as well.
> Generally, I'm only allowing connections to either machine using directives
> similar to:
Yes, may be this rule is the key:
> iptables -A INPUT -i $IFACE -d $IP -p tcp --dport 80 -m state --state
> NEW,ESTABLISHED -j ACCEPT
LVS does not play with the netfilter's conntracking.
> iptables -A OUTPUT -o $IFACE -s $IP -p tcp --sport 80 -m state --state
> ESTABLISHED -j ACCEPT
>
> My logging isn't catching any errors, but then again, I may simply be
> dropping the ACKs to the realserver without logging them.
>
> Does anyone have any suggestions for accomodating this within iptables? My
> guess is it may be as simple as allowing the director to make connections to
> port 80 on the realserver without regard to the connection state? Is that
> logic on the right track, or is there a more elegant (and secure) way to
> accomplish this? I apologize if this ends up bleeding into an iptables
> problem. ;)
You can try to remove these rules for the test but someone else
has to comment on the consequences.
Regards
--
Julian Anastasov <ja@xxxxxx>
|
