|
On Wednesday 02 October 2002 16:31, Tim Cronin wrote:
> to me, but just making a guess, it looks like connection
> state is not being kept. does Iptables track connections
> that are being handled by lvs?
Sure... But you forgot to enable them. I was only replying to ratz' mail, but
I looked up your original question and you are missing something along the
lines of
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
Without that you are accepting the initial SYN packet and dropping everything
else after that. I rather doubt that's what you want :-)
> how do I know if my machine gets assymmetrically routed packets?
I don't think this is the case for you, but if you're interested my attempt at
the technical explanation follows:
Basically, if *some* packets pass through your machine, but not all of them,
you can expect problems with stateful firewalling if you're not careful.
We have that with the traffic to our internal gateway. Some machines have the
default gateway set to the main firewall, and some to the internal firewall.
The stateful firewall rules are hardly able to detect proper states for these
internal packets, since a lot of the packets do not pass the firewall.
To make this work we have non-stateful rules for our internal networks, and
have the internal gateway do the actual state matching.
--
Martijn
|
