Re: masq problem

To:	<lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject:	Re: masq problem
From:	"Matt Walkowiak" <matt@xxxxxxxxxxx>
Date:	Fri, 14 Feb 2003 10:36:59 -0600

The only thing I am worried about with a full-scale LVS-Nat solution with
IPTables (or any other firewall solution for that matter), you need to have
port 80 (or whatever port you want to load balance) go straight thru your
INPUT chain, then LVS picks the packet up and does the forwarding.  That
means people on the Internet are talking directly to my "firewall" on port
80.  If for some reason LVS doesn't grab the packet for some reason, there
is really nothing to stop a specially designed packet from taking over my
firewall, if the hole exists.
Boy, can ya tell I come from the land of Microsoft?  :)
Anyway, I just don't like people being able to talk to my firewall
un-checked on ANY port, cept maybe ping, and even that scares me a little.
Do you guys think I have anything to worry about?  Is LVS robust enough not
to be tricked by an evil deformed packet that could get past LVS and talk
directly to my firewall, rather than being forwarded?

Matt




----- Original Message -----
From: "Tim Cronin" <tim@xxxxxxxxxxxxxxx>
To: <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Sent: Friday, February 14, 2003 8:10 AM
Subject: RE: masq problem


> Do you mean running lvs and iptables on the same box?
>
> if so the attached script is what I use, my lvs setup is very simple:
> it been running reliably in production for 6 months.
>
> IP Virtual Server version 1.0.6 (size=1048576)
> Prot LocalAddress:Port Scheduler Flags
>   -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
> TCP  xx.xx.xx.xx:http wlc persistent 1200
>   -> 192.168.1.25:http            Masq    1      0          2
> TCP  xx.xx.xx.xx:http wlc persistent 1200
>   -> 192.168.1.20:http            Masq    2      16         11
>   -> 192.168.1.10:http            Masq    3      17         23
>
> I use the attached script to setup ip tables. Note that the default config
> generates copious logs. Also the IP addresses have been changed to protect
> the innocent server :^D...
>
> I had problems with the syn flag hence the section ignoring stuff going
> to the vips.
>
> the link at the top of the script:
> http://www.sns.ias.edu/~jns/security/iptables/index.html
> is a good starting point.
>
> I hope this helps.
>

<Prev in Thread]	Current Thread	[Next in Thread>
masq problem, Andy Elacion, Jr. Re: masq problem, Joseph Mack Re: masq problem, Andy Elacion, Jr. Re: masq problem, Joseph Mack Re: masq problem, Andy Elacion, Jr. RE: masq problem, Tim Cronin Re: masq problem, Matt Walkowiak <= Re: masq problem, Joseph Mack Re: masq problem, Matt Walkowiak Re: masq problem, Joseph Mack Re: masq problem, Malcolm Turnbull Re: masq problem, natecars@xxxxxxxxxxxxx Re: masq problem, Andy Elacion, Jr. RE: masq problem, Tim Cronin

Previous by Date:	Re: Large HTTP Uploads timeout, Jacob Coby
Next by Date:	RE: masq problem, Tim Cronin
Previous by Thread:	RE: masq problem, Tim Cronin
Next by Thread:	Re: masq problem, Joseph Mack
Indexes:	[Date] [Thread] [Top] [All Lists]