|
Hello,
director#ipvsadm -n -L
IP Virtual Server version 1.0.6 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
FWM 1 wlc persistent 320
-> proxy02.ait.ac.th:80 Route 8 65 53
-> proxy01.ait.ac.th:80 Route 12 99 91
Hmm, you specified -n and still ipvsadm shows names??
--- It was my typing mistake
Ok, already thought we had a bug in th' olde ipvsadm.
What makes you think that your plan would help defeating/fighting the
problem
you're experiencing?
--- if i can limit the simultenious SYN connections from the source IP using
iptables, I think that it is possible to fight against nimda.
Have you tested this? And how do you know which SYN request will lead to a
stream containing nimda? If you rate limit SYNs (also possible with 2.2.x
kernels, check out QoS, backlog queue) you will most certainly punish legimit
traffic.
You can rate limit SYNs from a certain IP using QoS in 2.2.x kernels or the
limit target in iptables or you use the tcp_defense mechanism in LVS. There is
nothing intelligent you can do at layer 4 against nimda, except maybe use u32
qualifiers to filter them out; but then we have CR, CRII and all those variants
of worms people come up with ... You will never address the root of the problem
which lies at the application layer.
Any good solution ?
If you have spare hardware you should really think about setting up a proxy-like
bastion in front of your RS. Something like apache reverse proxy or mod_rewrite
and then define rules in terms of what is allowed to get to your RS' and
drop'n'log the rest.
ipchains -A input -s 0/0 -d 127.0.0.1/255.255.255.255 -j ACCEPT
ipchains -A input -s 0/0 -d 0/0 80 -p tcp -j REDIRECT 80 -m 1
Why do you need those two rules? What exactly are you trying to do here? I
think
you would like to fwmark the VIP but what for? But why the redirect?
--- well, the rule 1 is useless, rule 2 is to fwmark and to redirect all
http traffic to real servers. I use heartbeat-ldirectord in the director.
I still do not understand. The load balancer already does the redirection on
incoming traffic to port 80. You do not seem to be running any other service so
why don't you simply set up a VIP?
AFAICR the last rule of yours will fetch incoming packets to any destination and
port 80 (I wonder if you really want to do that) and redirect it to localhost
port 80 and that's maybe why you have the second rule.
Again, why don't you set up a VIP:80 service for your site?
Thanks a lot for your prompt reply.
You're welcome; best regards,
Roberto Nibali, ratz
--
echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq' | dc
| 