|
This was the key. Thanks.
Subject: Re: 2.4.17 realserver not answering requests
About the problem: the ACK is received in the director
but is not forwarded to the real server. The problem is in the
director.
I previously only had:
iptables -A INPUT -i $IFACE -p tcp ! --syn -m state --state NEW -j DROP
I altered this to allow NEW, non-syn connections to the VIP:80 -
iptables -A INPUT -i $IFACE -p tcp ! --syn -m state --state NEW -d VIP
--dport 80 -j ACCEPT
iptables -A INPUT -i $IFACE -p tcp ! --syn -m state --state NEW -j DROP
And it works properly now. Out of curiousity, is this the most secure way of
allowing this connection to occur, or should there be another restriction in
addition to the allow above? e.g., perhaps using RELATED? Does this ACCEPT
create any possible new security problems?
What TCP flags are set on the non-recieved ACK? Perhaps this rule can be
tightened using the following iptables switch:
--tcp-flags [!] mask comp
"Match when the TCP flags are as specified. The first
argument is the flags which we should examine, written as a
comma-separated list, and the second argument is a comma-separated list of
flags which must be set. Flags are: SYN ACK FIN RST URG PSH ALL NONE.
Hence the command iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN
will only match packets with the SYN flag set, and the ACK, FIN and RST
flags unset."
Thanks very much for all your help and patience. Hopefully this thread will
help someone in the future.
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.
|
