Re: iptables and lvs

To:	<lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject:	Re: iptables and lvs_nat
From:	"Alex Kramarov" <alex@xxxxxxxxxxxxxxx>
Date:	Wed, 2 Oct 2002 14:21:57 +0200

You also have to allow the responding traffic out - i have this setup and
solved the problem by logging the rejected packets. so should you.

the corresponding rule goes like this in my iptables (assuming the nated ip
s are in 10.10.0.0/255.255.255.240 , and the internal card is eth 1, and the
service is http):

iptables -A FORWARD -s 10.10.0.0/255.255.255.240 -i eth1 -p tcp --sport http
-j ACCEPT 

as far as i can see, ipvs forwards the initial packets to the real servers
without iptables seeing them, so if you do

iptables  -A INPUT-p tcp --dport 80 -j ACCEPT 
iptables -A FORWARD -m state --state ESTABLISHED -j ACCEPT 
iptables -A FORWARD -m state --state RELATED -j ACCEPT 

it doesn't work.

i would like to hear some input on this. i have this solved, but an
explanation from the developers would be nice.

-------Original Message-------

From: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Date: éåí øáéòé 02 àå÷èåáø 2002 13:01:51
To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject: Re: iptables and lvs_nat

Tim Cronin wrote:
> I've got lvs_nat working with http and ftp
> I've got a two nic box on two networks
> eth0 is my external interface

So you load balance incoming request (over eth0) and distribute the 
incoming traffic after the NAT over eth1 to the RS?

> I have the following in my iptables script
> 
> modprobe ip_conntrack 
> modprobe ip_conntrack_ftp 
> 
> iptables -A INPUT -i eth0 -p tcp ! --syn \
> -m state --state NEW -j LOG --log-prefix "IPTABLES SYN: "

Add a --log-tcpflags to see more.

> iptables -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j REJECT 
> with these enabled both http and ftp are unavailable.
> from the external network and I get log entries.

How do they look like, the log entries I mean?

IIRC the semantic of iptables with your rules you REJECT packets with 
the state NEW (every incoming packet). Of course this can't work. 
Besides that this is a netfilter issue and not an LVS one. Check the 
outgoing ICMP messages from your load balancer with 'tcpdump -nvi eth0 
icmp'. If you see one ICMP packet for every request from the Internet to 
your box, you know why ;).

Best regards,
Roberto Nibali, ratz
-- 
echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq'|dc

_______________________________________________
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://www.in-addr.de/mailman/listinfo/lvs-users

.

<Prev in Thread]	Current Thread	[Next in Thread>
iptables and lvs_nat, Tim Cronin Re: iptables and lvs_nat, Roberto Nibali Re: iptables and lvs_nat, Joseph Mack Re: iptables and lvs_nat, Roberto Nibali Re: iptables and lvs_nat, Alex Kramarov <= Re: iptables and lvs_nat, Martijn Klingens Re: iptables and lvs_nat, Roberto Nibali Re: iptables and lvs_nat, Martijn Klingens Re: iptables and lvs_nat, Roberto Nibali Re: iptables and lvs_nat, Mike McLean RE: iptables and lvs_nat, Tim Cronin Re: iptables and lvs_nat, Martijn Klingens Re: iptables and lvs_nat, Alex Kramarov Re: iptables and lvs_nat, Martijn Klingens RE: iptables and lvs_nat, Tim Cronin

Previous by Date:	Re: iptables and lvs_nat, Joseph Mack
Next by Date:	Re: iptables and lvs_nat, Roberto Nibali
Previous by Thread:	Re: iptables and lvs_nat, Roberto Nibali
Next by Thread:	Re: iptables and lvs_nat, Martijn Klingens
Indexes:	[Date] [Thread] [Top] [All Lists]