|
Alois Treindl wrote:
> this sounds bad. I had not been aware of the fact that there are
> FUNDAMENTAL problems of that kind.
>
> Of course I could stick to the 'old Redhat 7' kernel on director, and
> avoid this problem.
I was working. I can't imagine why someone would want to upgrade a
working machine just to have it upgraded, when everything is going
to break. I'm sure management is responsible for this. I can't
imagine you'd initiate something like this :-)
I just retired a 2.0.36 machine last year, when the mobo died. It
was working just fine till then. I even noticed that the ntpq
binary had a date of 1994 on it. ntp worked just fine too.
> But I expect I can anyway combine my LVS needs with my firewall needs
> under netfilter and kernel 2.4
I don't know the code real well and I'm not an iptables expert.
I would just try the rules one at a time and see how they go.
Blocking packets at INPUT and OUTPUT (where LVS doesn't operate)
should be safe. LVS uses the FORWARD chain for replies in LVS-NAT,
so be careful there.
> I would appreciate your opinion and advice in this matter.
>
> I need LVS-NAT loadbalancing really only for one single service, www.
> For port 80 incoming connections, our firewall is anyway open, so I need
> no iptables rules for that one, except probably to allow the packets in
> at the interface.
>
> iptables -A INPUT -j ACCEPT -i eth0 -p tcp -s 0/0 --sport 1024:65535 \
> -d ${VIP} --dport 80
> Is this rule even necessary?
I would assume everyone should have a rule like this in front of their
director just to be safe.
> It seems to be - when I remove it, client
> cannot access web server.
I don't know why you _need_ it for LVS to operate.
> We have in the past blocked off a short list of misbehaving IP addresses
> from sending ANY packets, with general blocking rules of the kind
>
> /sbin/iptables -A INPUT -j DROP-AND-LOG -i eth1 -s 82.48.XXX.XXX
everyone needs these too.
I also have rules on the realservers, eg, packets from VIP/RIP:80 to 0/0
can only go to the default gw. Any other packets from VIP/RIP to 0/0 are
dropped (in case someone or a program gets access to the realserver)
and logged.
> Question: Will this rule be effective also for port 80 packets handled
> by ip_vs? [it seems to be, I can block a web client when I tried]
I expect so.
> The other services which I have currently forwarded via ipvsadm rules,
> which are
> - mysql packets
> - https packets
> - ssh packets
> are not loadbalanced in my setup, i.e. these service go to a single
> realserver only.
>
> I assume I can handle these services just as well outside of ip_vs, by
> regular iptables NAT rules?
Be careful having both NAT and ip_vs LVS-NAT running on the same box. You could
have port collisions.
http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-HOWTO.operation.html#port_range
> Would you agree, that with such constrained conditions, I can combine my
> needed LVS features with the firewalling iptables features for the whole
> LVS cluster?
I think so, but I'm not a real expert here.
Joe
--
Joseph Mack PhD, High Performance Computing & Scientific Visualization
SAIC, Supporting the EPA Research Triangle Park, NC 919-541-0007
Federal Contact - John B. Smith 919-541-1087 - smith.johnb@xxxxxxx
|
