LVS
lvs-users
[Top] [All Lists]
Google
 
Web LinuxVirtualServer.org
<prev [Date] next> <prev [Thread] next>

Re: 2.4.17 realserver not answering requests | --tcp-flags

from [Abe Schwartz] [Permanent Link]
To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject: Re: 2.4.17 realserver not answering requests | --tcp-flags
From: "Abe Schwartz" <sloween@xxxxxxxxxxx>
Date: Sat, 09 Feb 2002 18:38:32 +0000 
I've discovered that this works as well (on the director) -
iptables -A INPUT -i $IFACE -p tcp --tcp-flags SYN,RST,ACK ACK -m state --state NEW -d VIP --dport 80 -j ACCEPT
This looks like the more correct way of allowing the ACK, but hopefully a more experienced iptables|lvs user on the list can clarify. 

Ideas or suggestions?


From: "Abe Schwartz" <sloween@xxxxxxxxxxx>
Reply-To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject: Re: 2.4.17 realserver not answering requests - solved
Date: Sat, 09 Feb 2002 17:31:08 +0000


This was the key. Thanks.


Subject: Re: 2.4.17 realserver not answering requests
        About the problem: the ACK is received in the director
but is not forwarded to the real server. The problem is in the
director.


I previously only had:
iptables  -A  INPUT  -i  $IFACE -p tcp ! --syn -m state --state NEW -j DROP

I altered this to allow NEW, non-syn connections to the VIP:80 -
iptables  -A  INPUT  -i  $IFACE -p tcp ! --syn -m state --state NEW -d VIP
--dport 80 -j ACCEPT
iptables  -A  INPUT  -i  $IFACE -p tcp ! --syn -m state --state NEW -j DROP
And it works properly now. Out of curiousity, is this the most secure way of allowing this connection to occur, or should there be another restriction in 
addition to the allow above? e.g., perhaps using RELATED? Does this ACCEPT
create any possible new security problems?

What TCP flags are set on the non-recieved ACK? Perhaps this rule can be
tightened using the following iptables switch:

--tcp-flags [!] mask comp
             "Match when the TCP flags are as specified.  The first
argument is the flags  which  we  should  examine, written as a
comma-separated list, and the second argument is a comma-separated list of
flags which must be set.  Flags are: SYN ACK FIN RST URG PSH ALL NONE.
Hence the command iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN 
will only match packets with the SYN flag set, and the ACK, FIN and RST
flags unset."

Thanks very much for all your help and patience. Hopefully this thread will
help someone in the future.

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.


_______________________________________________
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://www.in-addr.de/mailman/listinfo/lvs-users





_________________________________________________________________
Join the world?s largest e-mail service with MSN Hotmail. http://www.hotmail.com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • Re: 2.4.17 realserver not answering requests | --tcp-flags, Abe Schwartz <=
Previous by Date:  Re: 2.4.17 realserver not answering requests - solved, Abe Schwartz
Next by Date:  FreeS/WAN Cluster - any experiences?, Henrik Rossner
Previous by Thread:  Re: 2.4.17 realserver not answering requests - solved, Abe Schwartz
Next by Thread:  FreeS/WAN Cluster - any experiences?, Henrik Rossner
Indexes:  [Date] [Thread] [Top] [All Lists]