|
rkhamilton wrote:
> Adding rules like:
>
> iptables -t nat -A POSTROUTING -p tcp -s 172.16.10.0/24 --dport 80 -j
> MASQUERADE
>
> alllowed for outbound natted connections from the web servers, as
> clients, to other web servers.
fine
> no iproute2 stuff required. I suspect that my configuration is not the
> same as you might have expected. The only path to the Internet is
> through the director.
the iproute2 stuff is for security.
Normally you would have rules to only allow packets to 0/0 from
VIP:80, ie no clients allowed to connect to 0/0
Now when you allow clients on the realserver, you should change
the rules to also allow clients to only connect to 0:80.
As well with iproute2 you only route the packets to 0:80
but not to any other port.
If your realserver is compromised, you don't want
other clients to be able to connect to the outside world
Joe
--
Joseph Mack PhD, High Performance Computing & Scientific Visualization
SAIC, Supporting the EPA Research Triangle Park, NC 919-541-0007
Federal Contact - John B. Smith 919-541-1087 - smith.johnb@xxxxxxx
|
