Re: problem moving LVS NAT cluster to iptables

To:	"LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject:	Re: problem moving LVS NAT cluster to iptables - solved?
From:	Joseph Mack <mack.joseph@xxxxxxx>
Date:	Tue, 18 May 2004 10:52:35 -0400

Alois Treindl wrote:
> 
> On Tue, 18 May 2004, Joseph Mack wrote:
> 
> > Alois Treindl wrote:
> >
> >
> > Hi Alois,
> >       Nice to hear from you again. Why did you go break your working
> > 2.2 setup :-)

> I need reliable security patches,
> and I want to run as unified a system on all boxes as possible.

just giving you a hard time.

> > With 2.4 you don't have to write any iptables rules for the basic LVS-NAT
> > functionality (setting up the masquerading and the de-masquerading). With
> > 2.2 you had to set up the masquerading direction.
> 
> Yes, I finally gathered that from your LVS HOWTO section 15.6
 
> My error was that I did not understand the various chains and tables of
> 'iptables' and did not realize that I also need to define rules for the
> FORWARD chain, not just the INPUT chain, because this is where the LVS
> packages go through and are filtered in. the missing rule for the FORWARD
> chain stopped my packets to get back through the director to the client.

the model for routing is different for 2.2 and 2.4, you just can't substitute
the new iptables command for the old ipchains command.

> What is missing there is a comment about how LVS interacts with it, i.e.
> in which steps exactly LVS is done.
> 
> If you can point me to info regardig the interaction between ipvs-handling
> of packets and iptables/netfilter handling of packets, it would be
> helpful.
> 
> The integration of both iptables-firewalling and LVS-NAT into a single box
> is probably not a rare situation, and careful consideration of filtering
> rules is necessary, both for the state when LVS is down and up.

Read this and then ask more questions. 
The problem is that LVS doesn't/can't work within the netfilter framework.

http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-HOWTO.patches.html#firewall_on_director

I just uploaded this about 1500UTC today. Hit your reload button to flush your
cache.

Joe

-- 
Joseph Mack PhD, High Performance Computing & Scientific Visualization
SAIC, Supporting the EPA Research Triangle Park, NC 919-541-0007
Federal Contact - John B. Smith 919-541-1087 - smith.johnb@xxxxxxx

<Prev in Thread]	Current Thread	[Next in Thread>
problem moning LVS NAT cluster from ipchains to iptables, Alois Treindl Re: problem moning LVS NAT cluster from ipchains to iptables - typo, Alois Treindl Re: problem moning LVS NAT cluster from ipchains to iptables - typo2, Alois Treindl Re: problem moving LVS NAT cluster to iptables - solved?, Alois Treindl Re: problem moving LVS NAT cluster to iptables - solved?, Joseph Mack Re: problem moving LVS NAT cluster to iptables - solved?, Alois Treindl Re: problem moving LVS NAT cluster to iptables - solved?, Joseph Mack <= Re: problem moving LVS NAT cluster to iptables - solved?, Alois Treindl Re: problem moving LVS NAT cluster to iptables - solved?, Joseph Mack Re: problem moving LVS NAT cluster to iptables - solved?, Horms Re: problem moving LVS NAT cluster to iptables - solved?, Alois Treindl Re: problem moving LVS NAT cluster to iptables - solved?, Horms updated HOWTO - firewall on director, Joseph Mack

Previous by Date:	Re: problem moving LVS NAT cluster to iptables - solved?, Alois Treindl
Next by Date:	Can you change the destination port in DR mode ?, Malcolm Turnbull
Previous by Thread:	Re: problem moving LVS NAT cluster to iptables - solved?, Alois Treindl
Next by Thread:	Re: problem moving LVS NAT cluster to iptables - solved?, Alois Treindl
Indexes:	[Date] [Thread] [Top] [All Lists]

Re: problem moving LVS NAT cluster to iptables - solved?