|
Joseph Mack wrote:
Read this and then ask more questions.
The problem is that LVS doesn't/can't work within the netfilter framework.
http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-HOWTO.patches.html#firewall_on_director
Joe
this sounds bad. I had not been aware of the fact that there are
FUNDAMENTAL problems of that kind.
Of course I could stick to the 'old Redhat 7' kernel on director, and
avoid this problem.
But I expect I can anyway combine my LVS needs with my firewall needs
under netfilter and kernel 2.4
I would appreciate your opinion and advice in this matter.
I need LVS-NAT loadbalancing really only for one single service, www.
For port 80 incoming connections, our firewall is anyway open, so I need
no iptables rules for that one, except probably to allow the packets in
at the interface.
iptables -A INPUT -j ACCEPT -i eth0 -p tcp -s 0/0 --sport 1024:65535 \
-d ${VIP} --dport 80
Is this rule even necessary? It seems to be - when I remove it, client
cannot access web server.
We have in the past blocked off a short list of misbehaving IP addresses
from sending ANY packets, with general blocking rules of the kind
/sbin/iptables -A INPUT -j DROP-AND-LOG -i eth1 -s 82.48.XXX.XXX
Question: Will this rule be effective also for port 80 packets handled
by ip_vs? [it seems to be, I can block a web client when I tried]
The other services which I have currently forwarded via ipvsadm rules,
which are
- mysql packets
- https packets
- ssh packets
are not loadbalanced in my setup, i.e. these service go to a single
realserver only.
I assume I can handle these services just as well outside of ip_vs, by
regular iptables NAT rules?
Would you agree, that with such constrained conditions, I can combine my
needed LVS features with the firewalling iptables features for the whole
LVS cluster?
Alois
|
