LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: problem marking 3_tier client packets with iptables

To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx, pmueller@xxxxxxxxxxxx, Roberto Nibali <ratz@xxxxxx>, Julian Anastasov <ja@xxxxxx>
Subject: Re: problem marking 3_tier client packets with iptables
From: Joseph Mack <mack.joseph@xxxxxxx>
Date: Wed, 22 May 2002 06:45:35 -0400
Julian ecrit:

> Don't forget the ICMP traffic related to the allowed TCP connections, 
> you have to pass it too (in FORWARD).

oooh, OK. Thanks

Roberto Nibali wrote:

> Correct me if I'm wrong but do you mean a request through the director
> onto the RS initiates a connection from the RS back to the Internet to a
> squid server who then replies to the RS which in turn replies with the
> final response packet to the DGW?

client makes http request to the director, which passes it to the realserver
which is actually a squid. The squid will make connections from RIP to httpds 
out
on the internet.
 
> If my statement above is ok, why would you ever want to set up such a
> strange thing?

that's the way squids work?
As well other clients (eg DNS) on the realservers may need connection
to the internet. I want to have a line in the configure file
which lists the IP:port pairs (eg 0/0:80, x.x.x.x:53)
that clients on the realservers are allowed to connect to.


> Why don't you set the policy for the chains to DROP and simply accept
> the packets you need?

functionally that's what I want to do. Maybe I'm not doing it the 
usual way. What I'm now doing is

-A OUTPUT -t mangle mark packet to some IP:port
-A OUTPUT -t mangle mark packet to another IP:port
-A OUTPUT if packet is marked -j RETURN
-A OUTPUT -j DROP
 
> Why do you need an extra chain? Isn't it enough to simply mark the
> packets or do you have multiple different destinations?

I figured a way not to have an extra chain, but for my first attempt,
I thought I'd send all the packets I wanted to mark to another chain
and mark everything that arrived in the other chain. This way I could 
put the rules into the OUTPUT chain without other changes to the OUTPUT 
chain and I could have the -j DROP in the other chain. 
 
> > #here packets to 0/0:23 and 0/0:80 are sent to a new chain
> > iptables -A OUTPUT -p tcp -s ${RIP}/32 -d 0/0 --dport telnet -j 3_tier
> > iptables -A OUTPUT -p tcp -s ${RIP}/32 -d 0/0 --dport http -j 3_tier
> 
> What about packets that come back? I'm really confused. Don't you need a
> --state RELATED,ESTABLISHED or at least an INPUT chain rule? Or is your
> packetfilter (RS in this case) completely open?

For testing, INPUT is open. I don't know how to do RELATED, ESTABLISHED.
If I can't figure it out from the docs, I'll be posting again ;-)


Joe

-- 
Joseph Mack PhD, Senior Systems Engineer, Lockheed Martin
contractor to the National Environmental Supercomputer Center, 
mailto:mack.joseph@xxxxxxx ph# 919-541-0007, RTP, NC, USA


<Prev in Thread] Current Thread [Next in Thread>