LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: problem marking 3_tier client packets with iptables

To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject: Re: problem marking 3_tier client packets with iptables
Cc: Julian Anastasov <ja@xxxxxx>, Roberto Nibali <ratz@xxxxxx>, Horms <horms@xxxxxxxxxxxx>
From: Roberto Nibali <ratz@xxxxxxxxxxxx>
Date: Tue, 21 May 2002 23:23:40 +0200
Hello Joe,

As you already seem to have a right answer I was actually more wondering about the usage of such a setup.

Joseph Mack wrote:
Sometimes LVS-DR realservers have clients which need
to connect to hosts on the internet, eg a squid realserver
needs to connect from RIP (not VIP) to 0/0:80.

Correct me if I'm wrong but do you mean a request through the director onto the RS initiates a connection from the RS back to the Internet to a squid server who then replies to the RS which in turn replies with the final response packet to the DGW?

To help you further with my strange logic: I'm horribly confused by following wording "... realservers have clients which need to connect to hosts on the internet ...". Could you please explain this to me so I don't come up with a statement like above ;).

If my statement above is ok, why would you ever want to set up such a strange thing?

In my configure script, currently
I block all connections from RIP to 0/0.
I now want to let out all packets to 0/0:80 say but to DROP or REJECT other packets from RIP to 0/0:!80.

Why don't you set the policy for the chains to DROP and simply accept the packets you need?

o mark packets from RIP to multiple services on the internet
o DROP or REJECT the rest of the packets to 0/0

What I tried to do was to set up another chain (3_tier) and send all
allowed packets to it, to DROP the rest and mark all packets that
get to the 3_tier chain.

Why do you need an extra chain? Isn't it enough to simply mark the packets or do you have multiple different destinations?

#here packets to 0/0:23 and 0/0:80 are sent to a new chain
iptables -A OUTPUT -p tcp -s ${RIP}/32 -d 0/0 --dport telnet -j 3_tier
iptables -A OUTPUT -p tcp -s ${RIP}/32 -d 0/0 --dport http -j 3_tier

What about packets that come back? I'm really confused. Don't you need a --state RELATED,ESTABLISHED or at least an INPUT chain rule? Or is your packetfilter (RS in this case) completely open?

Cheers,
Roberto Nibali, ratz
--
echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq'|dc



<Prev in Thread] Current Thread [Next in Thread>