Re: Using both IP-VS and IPTables.

To:	lvs-users@xxxxxxxxxxxxxxxxxxxxxx, R.vanOosten@xxxxxxxxxxx
Subject:	Re: Using both IP-VS and IPTables.
From:	Joseph Mack <mack.joseph@xxxxxxx>
Date:	Mon, 21 Oct 2002 07:26:15 -0400

Rutger van Oosten wrote:
> 

> - Does an incoming packet get processed by the ip-vs system first or by the
> iptable rules? 

iptables first.

> If I drop packets to all ports in the iptables setup - do I
> need to explicitly open the ports used for the lvs? 

yes (presumably obvious from the first answer)Rutger van Oosten wrote:
> 
> Dear lvs gurus,
> 
> I have a working linux virtual server (redhat 7.3, patched kernel 2.4.18
> from kernel.org, ipvs 1.0.6 compiled as modules) that does load balancing
> (LVS_NAT) to two web and ftp servers. I'm currently looking at closing up
> some open ports on the lvs machine and would like to use an iptables based
> firewall for that.  I have a couple of questions that other people might
> have wrestled with and maybe have resolved:
> 
> - Does an incoming packet get processed by the ip-vs system first or by the
> iptable rules? If I drop packets to all ports in the iptables setup - do I
> need to explicitly open the ports used for the lvs? Will I break anything by
> adding iptable rules?
> 
> - Has anyone else used a iptables configuration script/gui to add
> firewalling to their director successfully? All I really need is to close
> all ports except for the load balanced ones, and to do some static forwards
> (not via the lvs system).
> 
> Thanks,
> Rutger
> 
> BenQ. "Bringing Enjoyment 'N Quality to Life". Enjoyment Matters.
> 
> _______________________________________________
> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://www.in-addr.de/mailman/listinfo/lvs-users


> Will I break anything by
> adding iptable rules?

no. not only that, it's a good idea to close everything off, that's
not needed for the LVS.

> - Has anyone else used a iptables configuration script/gui to add
> firewalling to their director successfully? All I really need is to close
> all ports except for the load balanced ones, and to do some static forwards
> (not via the lvs system).

no. let us know if any work.

Joe

-- 
Joseph Mack PhD, Senior Systems Engineer, SAIC contractor 
to the National Environmental Supercomputer Center, 
mailto:mack.joseph@xxxxxxx ph# 919-541-0007, RTP, NC, USA

<Prev in Thread]	Current Thread	[Next in Thread>
Using both IP-VS and IPTables., Rutger van Oosten Re: Using both IP-VS and IPTables., Matthew S. Crocker Re: Using both IP-VS and IPTables., Joseph Mack <= Re: Using both IP-VS and IPTables., Mike McLean RE: Using both IP-VS and IPTables., laurie . baker RE: Using both IP-VS and IPTables., Rutger van Oosten Re: Using both IP-VS and IPTables., Joseph Mack

Previous by Date:	Re: Using both IP-VS and IPTables., Matthew S. Crocker
Next by Date:	Re: Unwanted persistance, Joseph Mack
Previous by Thread:	Re: Using both IP-VS and IPTables., Matthew S. Crocker
Next by Thread:	Re: Using both IP-VS and IPTables., Mike McLean
Indexes:	[Date] [Thread] [Top] [All Lists]