Hello Joe,
As you already seem to have a right answer I was actually more wondering
about the usage of such a setup.
Joseph Mack wrote:
Sometimes LVS-DR realservers have clients which need
to connect to hosts on the internet, eg a squid realserver
needs to connect from RIP (not VIP) to 0/0:80.
Correct me if I'm wrong but do you mean a request through the director
onto the RS initiates a connection from the RS back to the Internet to a
squid server who then replies to the RS which in turn replies with the
final response packet to the DGW?
To help you further with my strange logic: I'm horribly confused by
following wording "... realservers have clients which need to connect to
hosts on the internet ...". Could you please explain this to me so I
don't come up with a statement like above ;).
If my statement above is ok, why would you ever want to set up such a
strange thing?
In my configure script, currently
I block all connections from RIP to 0/0.
I now want to let out all packets to 0/0:80
say but to DROP or REJECT other packets from RIP to 0/0:!80.
Why don't you set the policy for the chains to DROP and simply accept
the packets you need?
o mark packets from RIP to multiple services on the internet
o DROP or REJECT the rest of the packets to 0/0
What I tried to do was to set up another chain (3_tier) and send all
allowed packets to it, to DROP the rest and mark all packets that
get to the 3_tier chain.
Why do you need an extra chain? Isn't it enough to simply mark the
packets or do you have multiple different destinations?
#here packets to 0/0:23 and 0/0:80 are sent to a new chain
iptables -A OUTPUT -p tcp -s ${RIP}/32 -d 0/0 --dport telnet -j 3_tier
iptables -A OUTPUT -p tcp -s ${RIP}/32 -d 0/0 --dport http -j 3_tier
What about packets that come back? I'm really confused. Don't you need a
--state RELATED,ESTABLISHED or at least an INPUT chain rule? Or is your
packetfilter (RS in this case) completely open?
Cheers,
Roberto Nibali, ratz
--
echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq'|dc
|