|
Hi,
> director: 203.159.0.100
> realserver: 203.159.0.10 (used for squid cache)
> realserver: 203.159.0.14 (used for squid cache)
>
> director#ipvsadm -n -L
> IP Virtual Server version 1.0.6 (size=4096)
> Prot LocalAddress:Port Scheduler Flags
> -> RemoteAddress:Port Forward Weight ActiveConn InActConn
> FWM 1 wlc persistent 320
> -> proxy02.ait.ac.th:80 Route 8 65 53
> -> proxy01.ait.ac.th:80 Route 12 99 91
Hmm, you specified -n and still ipvsadm shows names??
--- It was my typing mistake
> No problem at all. But I need to upgrade the distrubution in director to
> block Nimda/DoS by implementing iptables using iplimits (limit
simultenious
> connection from the source IP).
What makes you think that your plan would help defeating/fighting the
problem
you're experiencing?
--- if i can limit the simultenious SYN connections from the source IP using
iptables, I think that it is possible to fight against nimda. Any good
solution ?
> 1. Do I also need to upgade real servers into kernet 2.4.xx and need
> iptables instead of ipchains?
No.
> ipchains -A input -s 0/0 -d 203.159.0.100/255.255.255.255 -j ACCEPT
iptables -t filter -A INPUT -s 0/0 -d 203.159.0.100/32 -j ACCEPT
> ipchains -A input -s 0/0 -d 127.0.0.1/255.255.255.255 -j ACCEPT
> ipchains -A input -s 0/0 -d 0/0 80 -p tcp -j REDIRECT 80 -m 1
Why do you need those two rules? What exactly are you trying to do here? I
think
you would like to fwmark the VIP but what for? But why the redirect?
--- well, the rule 1 is useless, rule 2 is to fwmark and to redirect all
http traffic to real servers. I use heartbeat-ldirectord in the director.
Thanks a lot for your prompt reply.
Faruk
|
