On Mon, Mar 15, 2004 at 09:16:18AM -0800, Dan wrote:
> I still have the ip question, but for the time being I set up a routable ip on
> eth0 and put the VIP on lo:0 just for testing. The packet actually gets from
> the client, all the way to the real server:
>
> #tcpdump -vvv -ne -i eth1 port not 22
> tcpdump: listening on eth1
> 01:05:02.459391 MAC_OF_DIRECTOR_INTERNAL_INTERFACE
> MAC_OF_REAL_INTERNAL_INTERFACE 0800 74: CIP.51950 > VIP.80: S [tcp sum ok]
> 152640938:152640938(0) win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0>
> (ttl 53, id 48139, len 60)
>
> I believe this correct. But no packet ever goes out of the external interface
> on the real server. I have the default route set correctly on the real server
> (it can get on the net). Are there any other gotchas I should check out?
As you are doing asymetric routing rp_filter might be causing you
some troubles, many distributions turn it on by default as
most of the time it is a good idea.
/proc/sys/net/ipv4/conf/*/rp_filter
>From Documentation/filesystems/proc.txt in the kernel tree
rp_filter
---------
Integer value determines if a source validation should be made. 1 means
yes, 0 means no. Disabled by default, but local/broadcast address
spoofing is always on.
If you set this to 1 on a router that is the only connection for a
network to the net, it will prevent spoofing attacks against your
internal networks (external addresses can still be spoofed), without
the need for additional firewall rules.
--
Horms
|