RE: iptables and lvs

To:	"'lvs-users@xxxxxxxxxxxxxxxxxxxxxx'" <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject:	RE: iptables and lvs_nat
From:	Tim Cronin <tim@xxxxxxxxxxxxxxx>
Date:	Wed, 2 Oct 2002 09:31:27 -0500

I'm new to all this so bear with me,
also I'm using rh 7.3 /w kernel 2.4.19

with the rule in place I get the following log 

Oct  1 11:12:24 loadbalancer kernel: 
IPTABLES SYN: 
IN=eth0 OUT= 
MAC=00:80:ad:98:14:94:00:b0:d0:2c:96:16:08:00 
SRC=172.24.1.24 
DST=172.24.1.251 
LEN=411 TOS=0x00 PREC=0x00 TTL=128 ID=61175 DF 
PROTO=TCP 
SPT=1262 
DPT=80 
WINDOW=64240 RES=0x00 ACK PSH URGP=0

to me, but just making a guess, it looks like connection 
state is not being kept. does Iptables track connections
that are being handled by lvs?


>Only 'NEW' packets _without_ SYN bit ('! --syn') are rejected, and that's 
>quite a good practice if your machine doesn't get assymmetrically routed 
>packets.

how do I know if my machine gets assymmetrically routed packets?

>Something like '--tcp-flags SYN,FIN SYN,FIN -j DROP' (or reject) should
work.

I'll try this.

Yes, I'll also post on iptables :^D.

-----Original Message-----
From: Martijn Klingens [mailto:mklingens@xxxxxx]
Sent: Wednesday, October 02, 2002 6:33 AM
To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject: Re: iptables and lvs_nat


On Wednesday 02 October 2002 13:00, Roberto Nibali wrote:
> > iptables -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j REJECT

> > with these enabled  both http and ftp are unavailable.
> > from the external network and I get log entries.
> 
> How do they look like, the log entries I mean?
> 
> IIRC the semantic of iptables with your rules you REJECT packets with 
> the state NEW (every incoming packet).

Not quite :-)

Only 'NEW' packets _without_ SYN bit ('! --syn') are rejected, and that's 
quite a good practice if your machine doesn't get assymmetrically routed 
packets.

On the netfilter mailinglist a related issue was raised yesterday btw about 
the combination SYN+FIN, which is considered 'legal' for the --syn option, 
but only serves a goal as portscanning tool and should also be dropped.

Something like '--tcp-flags SYN,FIN SYN,FIN -j DROP' (or reject) should
work.
-- 
Martijn


_______________________________________________
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://www.in-addr.de/mailman/listinfo/lvs-users

<Prev in Thread]	Current Thread	[Next in Thread>
iptables and lvs_nat, Tim Cronin Re: iptables and lvs_nat, Roberto Nibali Re: iptables and lvs_nat, Joseph Mack Re: iptables and lvs_nat, Roberto Nibali Re: iptables and lvs_nat, Alex Kramarov Re: iptables and lvs_nat, Martijn Klingens Re: iptables and lvs_nat, Roberto Nibali Re: iptables and lvs_nat, Martijn Klingens Re: iptables and lvs_nat, Roberto Nibali Re: iptables and lvs_nat, Mike McLean RE: iptables and lvs_nat, Tim Cronin <= Re: iptables and lvs_nat, Martijn Klingens Re: iptables and lvs_nat, Alex Kramarov Re: iptables and lvs_nat, Martijn Klingens RE: iptables and lvs_nat, Tim Cronin Re: iptables and lvs_nat, Martijn Klingens RE: iptables and lvs_nat, Tim Cronin Re: iptables and lvs_nat, Martijn Klingens RE: iptables and lvs_nat, Tim Cronin RE: iptables and lvs_nat, Tim Cronin Re: iptables and lvs_nat, Martijn Klingens

Previous by Date:	Re: ipvsadm problem, Alex Kramarov
Next by Date:	Re: ipvsadm problem, Simon Young
Previous by Thread:	Re: iptables and lvs_nat, Mike McLean
Next by Thread:	Re: iptables and lvs_nat, Martijn Klingens
Indexes:	[Date] [Thread] [Top] [All Lists]

RE: iptables and lvs_nat