LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: 2.4.17 realserver not answering requests - solved

To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject: Re: 2.4.17 realserver not answering requests - solved
From: "Abe Schwartz" <sloween@xxxxxxxxxxx>
Date: Sat, 09 Feb 2002 17:31:08 +0000
This was the key. Thanks.

Subject: Re: 2.4.17 realserver not answering requests
        About the problem: the ACK is received in the director
but is not forwarded to the real server. The problem is in the
director.

I previously only had:
iptables  -A  INPUT  -i  $IFACE -p tcp ! --syn -m state --state NEW -j DROP

I altered this to allow NEW, non-syn connections to the VIP:80 -
iptables -A INPUT -i $IFACE -p tcp ! --syn -m state --state NEW -d VIP --dport 80 -j ACCEPT
iptables  -A  INPUT  -i  $IFACE -p tcp ! --syn -m state --state NEW -j DROP

And it works properly now. Out of curiousity, is this the most secure way of allowing this connection to occur, or should there be another restriction in addition to the allow above? e.g., perhaps using RELATED? Does this ACCEPT create any possible new security problems?

What TCP flags are set on the non-recieved ACK? Perhaps this rule can be tightened using the following iptables switch:

--tcp-flags [!] mask comp
"Match when the TCP flags are as specified. The first argument is the flags which we should examine, written as a comma-separated list, and the second argument is a comma-separated list of flags which must be set. Flags are: SYN ACK FIN RST URG PSH ALL NONE. Hence the command iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN will only match packets with the SYN flag set, and the ACK, FIN and RST flags unset."

Thanks very much for all your help and patience. Hopefully this thread will help someone in the future.

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.



<Prev in Thread] Current Thread [Next in Thread>
  • Re: 2.4.17 realserver not answering requests - solved, Abe Schwartz <=