|
> > The only thing I am worried about with a full-scale LVS-Nat solution
with
> > IPTables (or any other firewall solution for that matter), you need to
have
> > port 80 (or whatever port you want to load balance) go straight thru
your
> > INPUT chain, then LVS picks the packet up and does the forwarding. That
> > means people on the Internet are talking directly to my "firewall" on
port
> > 80.
>
> can you put a rule in the INPUT chain?
>
> LVS is just a router with slightly non-standard routing rules.
I've got the INPUT chain severely locked down, but I had to open up port 80
to the world to go right on thru. Then I just trust that LVS is going to
pick it up, just like I would need to trust Apache or IIS to pick up the
packet and not let some other part of the OS act on it.
I guess I can't have it both ways; if I want people talk to me, I have to
let them to talk to me :) Either that or pay someone else to do the talking
for me...
OH.... here might be a good way to do it... Can I put a rule in the OUTPUT
chain? This rule would only allow port 80 from the LD to the RealServers -
when the RealServers respond, they would be using the FORWARD chain, right?
That would prevent my Firewall/LD box from responding to anyone talking to
it on port 80 - so even if LVS gets subverted, im still protected. Does
that logic hold?
Thanks!
Matt
|
