The only thing our system does is iptables,lvs and ssh everthing else has
been removed. We use this for a public website (~5 mil hits / month) and
we've had only a few small configuration problems.
if you are really concerned you might want have a box for each and have
the director sit behind your firewall.
-----Original Message-----
From: Matt Walkowiak [mailto:matt@xxxxxxxxxxx]
Sent: Friday, February 14, 2003 10:37 AM
To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject: Re: masq problem
The only thing I am worried about with a full-scale LVS-Nat solution with
IPTables (or any other firewall solution for that matter), you need to have
port 80 (or whatever port you want to load balance) go straight thru your
INPUT chain, then LVS picks the packet up and does the forwarding. That
means people on the Internet are talking directly to my "firewall" on port
80. If for some reason LVS doesn't grab the packet for some reason, there
is really nothing to stop a specially designed packet from taking over my
firewall, if the hole exists.
Boy, can ya tell I come from the land of Microsoft? :)
Anyway, I just don't like people being able to talk to my firewall
un-checked on ANY port, cept maybe ping, and even that scares me a little.
Do you guys think I have anything to worry about? Is LVS robust enough not
to be tricked by an evil deformed packet that could get past LVS and talk
directly to my firewall, rather than being forwarded?
Matt
----- Original Message -----
From: "Tim Cronin" <tim@xxxxxxxxxxxxxxx>
To: <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Sent: Friday, February 14, 2003 8:10 AM
Subject: RE: masq problem
> Do you mean running lvs and iptables on the same box?
>
> if so the attached script is what I use, my lvs setup is very simple:
> it been running reliably in production for 6 months.
>
> IP Virtual Server version 1.0.6 (size=1048576)
> Prot LocalAddress:Port Scheduler Flags
> -> RemoteAddress:Port Forward Weight ActiveConn InActConn
> TCP xx.xx.xx.xx:http wlc persistent 1200
> -> 192.168.1.25:http Masq 1 0 2
> TCP xx.xx.xx.xx:http wlc persistent 1200
> -> 192.168.1.20:http Masq 2 16 11
> -> 192.168.1.10:http Masq 3 17 23
>
> I use the attached script to setup ip tables. Note that the default config
> generates copious logs. Also the IP addresses have been changed to protect
> the innocent server :^D...
>
> I had problems with the syn flag hence the section ignoring stuff going
> to the vips.
>
> the link at the top of the script:
> http://www.sns.ias.edu/~jns/security/iptables/index.html
> is a good starting point.
>
> I hope this helps.
>
_______________________________________________
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://www.in-addr.de/mailman/listinfo/lvs-users
|