Re: masq problem

To:	lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject:	Re: masq problem
From:	"Andy Elacion, Jr." <atelacion@xxxxxxxxxxxxx>
Date:	Sat, 15 Feb 2003 13:12:20 +0800

Thanks for all your info.

I played around with ipchains, the only problem that I have was the
MASQuerading entry.  I removed it and it works great.

I'll try to migrate my ipchains script to iptables for better performance.


Thanks all,
Andy

Tim Cronin wrote:

> Do you mean running lvs and iptables on the same box?
>
> if so the attached script is what I use, my lvs setup is very simple:
> it been running reliably in production for 6 months.
>
> IP Virtual Server version 1.0.6 (size=1048576)
> Prot LocalAddress:Port Scheduler Flags
>   -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
> TCP  xx.xx.xx.xx:http wlc persistent 1200
>   -> 192.168.1.25:http            Masq    1      0          2
> TCP  xx.xx.xx.xx:http wlc persistent 1200
>   -> 192.168.1.20:http            Masq    2      16         11
>   -> 192.168.1.10:http            Masq    3      17         23
>
> I use the attached script to setup ip tables. Note that the default config
> generates copious logs. Also the IP addresses have been changed to protect
> the innocent server :^D...
>
> I had problems with the syn flag hence the section ignoring stuff going
> to the vips.
>
> the link at the top of the script:
> http://www.sns.ias.edu/~jns/security/iptables/index.html
> is a good starting point.
>
> I hope this helps.
>
> -----Original Message-----
> From: Andy Elacion, Jr. [mailto:atelacion@xxxxxxxxxxxxx]
> Sent: Friday, February 14, 2003 7:50 AM
> To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Subject: Re: masq problem
>
> Joseph Mack wrote:
>
> > "Andy Elacion, Jr." wrote:
> >
> > > Now my question is this.  How am I going to secure my lvs?
> >
> > a big topic. There's no easy solution, but it's the same way
> > as with any other machine - allow all expected packets, deny
> > all others. You could start with iptables.
> >
> > a simple script to start you off is gshield
> >
> > http://muse.linuxmafia.org/gshield.html
>
> Thanks, but is there someone out there that implement lvs with either
> iptables or ipchains as their firewall?
>
> I'd like to secure my server with my own script.
>
> > Joe
> >
> > --
> > Joseph Mack PhD, Senior Systems Engineer, SAIC contractor
> > to the National Environmental Supercomputer Center,
> > ph# 919-541-0007, RTP, NC, USA. mailto:mack.joseph@xxxxxxx
> >
> > _______________________________________________
> > LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> > Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> > or go to http://www.in-addr.de/mailman/listinfo/lvs-users
>
> _______________________________________________
> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://www.in-addr.de/mailman/listinfo/lvs-users
>
>   ------------------------------------------------------------------------
>                   Name: rc.firewall
>    rc.firewall    Type: unspecified type (application/octet-stream)
>               Encoding: quoted-printable

<Prev in Thread]	Current Thread	[Next in Thread>
Re: masq problem, (continued) Re: masq problem, Andy Elacion, Jr. Re: masq problem, Joseph Mack Re: masq problem, Andy Elacion, Jr. RE: masq problem, Tim Cronin Re: masq problem, Matt Walkowiak Re: masq problem, Joseph Mack Re: masq problem, Matt Walkowiak Re: masq problem, Joseph Mack Re: masq problem, Malcolm Turnbull Re: masq problem, natecars@xxxxxxxxxxxxx Re: masq problem, Andy Elacion, Jr. <= RE: masq problem, Tim Cronin

Previous by Date:	Re: SV: Set hashtable size in ip_vs.h?, Horms
Next by Date:	Re: Accessing lvs service from the NAT router, Ian Millsom
Previous by Thread:	Re: masq problem, natecars@xxxxxxxxxxxxx
Next by Thread:	RE: masq problem, Tim Cronin
Indexes:	[Date] [Thread] [Top] [All Lists]