|
Hello,
On Tue, 21 May 2002, Joseph Mack wrote:
> Sometimes LVS-DR realservers have clients which need
> to connect to hosts on the internet, eg a squid realserver
> needs to connect from RIP (not VIP) to 0/0:80.
> In my configure script, currently
> I block all connections from RIP to 0/0.
> I now want to let out all packets to 0/0:80
> say but to DROP or REJECT other packets from RIP to 0/0:!80.
>
> Horms suggested the following code (here shown connecting
> from RIP to 0/0:telnet, since connecting with telnet is
> easy to test)
>
> #mark packet
> iptables -t mangle -A OUTPUT -p tcp -s ${RIP}/32 -d 0/0 --dport telnet -j
> MARK --set-mark 1
In 2.4 the OUTPUT chain is for locally generated packets.
May be you can do filtering in the FORWARD chain unrelated to the
fwmarking at PRE_ROUTING. Don't forget the ICMP traffic related
to the allowed TCP connections, you have to pass it too (in FORWARD).
> Thanks Joe
Regards
--
Julian Anastasov <ja@xxxxxx>
|
