|
Alois Treindl wrote:
I had described my LVS NAT - firewall setup with iptables, see below.
I think I solved the problem myself, in a long night.
To get it to work, I had to add two iptables rules:
${IT} -t nat -A POSTROUTING -o eth1 -p tcp -s $W1 --sport 22 -d \
$MY_NETWORK -j MASQUERADE
${IT} -A FORWARD -o eth1 -j ACCEPT
ssh access to the realserver does work now. I have to admit that the
'why' is still a bit of a mystery.
I have found both on the web and in the LVS howto very little explicit
information how to set up LVS NAT with packet filtering under iptables;
most information refers to the older ipchains filtering.
Example, for ssh service (all ssh connections should go to real server w1
only)
IPVSADM=/sbin/ipvsadm
${IPVSADM} -C
${IPVSADM} -A -t $VIP:ssh -s rr
${IPVSADM} -a -t $VIP:ssh -r $W1:ssh -m -w 1
iptables rules:
---------------
IT=/sbin/iptables
# policy rules
${IT} -F
${IT} -t nat -F
${IT} -X
${IT} -P INPUT DROP
${IT} -P FORWARD DROP
${IT} -P OUTPUT DROP
# allow ssh to come in
${IT} -A INPUT -j ACCEPT -i eth1 -p tcp -s 0/0 --sport 1024:65535 -d $VIP --dport 22
# general input/output rules
${IT} -A OUTPUT -o eth1 -j ACCEPT
${IT} -A INPUT -i eth0 -j ACCEPT
${IT} -A OUTPUT -o eth0 -j ACCEPT
# catch the rest for loggin
${IT} -A INPUT -j DROP-AND-LOG
${IT} -A FORWARD -j DROP-AND-LOG
${IT} -A OUTPUT -j DROP-AND-LOG
| 