RE: masq problem

To:	"'lvs-users@xxxxxxxxxxxxxxxxxxxxxx'" <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject:	RE: masq problem
From:	Tim Cronin <tim@xxxxxxxxxxxxxxx>
Date:	Fri, 14 Feb 2003 08:10:19 -0600

Do you mean running lvs and iptables on the same box?

if so the attached script is what I use, my lvs setup is very simple:
it been running reliably in production for 6 months.

IP Virtual Server version 1.0.6 (size=1048576)
Prot LocalAddress:Port Scheduler Flags
  -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
TCP  xx.xx.xx.xx:http wlc persistent 1200
  -> 192.168.1.25:http            Masq    1      0          2
TCP  xx.xx.xx.xx:http wlc persistent 1200
  -> 192.168.1.20:http            Masq    2      16         11
  -> 192.168.1.10:http            Masq    3      17         23

I use the attached script to setup ip tables. Note that the default config
generates copious logs. Also the IP addresses have been changed to protect
the innocent server :^D...

I had problems with the syn flag hence the section ignoring stuff going
to the vips.

the link at the top of the script:
http://www.sns.ias.edu/~jns/security/iptables/index.html
is a good starting point.

I hope this helps.

-----Original Message-----
From: Andy Elacion, Jr. [mailto:atelacion@xxxxxxxxxxxxx]
Sent: Friday, February 14, 2003 7:50 AM
To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject: Re: masq problem

Joseph Mack wrote:

> "Andy Elacion, Jr." wrote:
>
> > Now my question is this.  How am I going to secure my lvs?
>
> a big topic. There's no easy solution, but it's the same way
> as with any other machine - allow all expected packets, deny
> all others. You could start with iptables.
>
> a simple script to start you off is gshield
>
> http://muse.linuxmafia.org/gshield.html

Thanks, but is there someone out there that implement lvs with either
iptables or ipchains as their firewall?

I'd like to secure my server with my own script.

> Joe
>
> --
> Joseph Mack PhD, Senior Systems Engineer, SAIC contractor
> to the National Environmental Supercomputer Center,
> ph# 919-541-0007, RTP, NC, USA. mailto:mack.joseph@xxxxxxx
>
> _______________________________________________
> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://www.in-addr.de/mailman/listinfo/lvs-users

_______________________________________________
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://www.in-addr.de/mailman/listinfo/lvs-users

rc.firewall
Description: Binary data

<Prev in Thread]	Current Thread	[Next in Thread>
masq problem, Andy Elacion, Jr. Re: masq problem, Joseph Mack Re: masq problem, Andy Elacion, Jr. Re: masq problem, Joseph Mack Re: masq problem, Andy Elacion, Jr. RE: masq problem, Tim Cronin <= Re: masq problem, Matt Walkowiak Re: masq problem, Joseph Mack Re: masq problem, Matt Walkowiak Re: masq problem, Joseph Mack Re: masq problem, Malcolm Turnbull Re: masq problem, natecars@xxxxxxxxxxxxx Re: masq problem, Andy Elacion, Jr. RE: masq problem, Tim Cronin

Previous by Date:	Re: masq problem, Andy Elacion, Jr.
Next by Date:	Re: Large HTTP Uploads timeout, Jacob Coby
Previous by Thread:	Re: masq problem, Andy Elacion, Jr.
Next by Thread:	Re: masq problem, Matt Walkowiak
Indexes:	[Date] [Thread] [Top] [All Lists]