|
On Fri, Jun 04, 2004 at 10:07:04AM -0400, Nielsen, Steve wrote:
> I want to run iptables and LVS on the same box. My LVS setup will be as
> follows (NAT based):
>
> internet
> +
> |
> +
> lvs
> +
> |
> +--------+---------+
> | |
> real server real server
>
> I want to establish iptables rules which will do the following:
>
> 1. Disallow all new connections from the outside to the lvs box except
> for traffic destined for the VIP/ports I have defined in LVS.
Likely the easiset way to do this is just to add some standard
filtering rules to the input chain.
A slightly more sophisticated approach would be to mark the
packets with a firewall mark. Then allow netfilter to
drop or accept packets based on this, and LVS to identify virtual
services based on this.
> 2. Allow inbound/outbound traffic for established/related connections
> on the LVS box.
If you are talking about packets that originate from the LVS box,
just filter them as you would on any other firewall.
> So in a sense the lvs box is a "firewall" but only to protect itself.
>
> I have read the LVS HOW-TO section 17.1 which talks about running LVS
> and netfilter together on the same box. It mentions the ipvs_nfct
> module. Do I need to do this for this situation? The HOW-TO is not
> very clear. It mentions on one hand in section 17.1 that you need the
> nfct module but then at the end of 17.1 it says: "You can (and always
> have been able to) use firewall rules that match by device, proto,
> port or IP, without using ipvs netfilter connection tracking module,
> ipvs_nfct.". So my question is when do you need the module and when
> do you not need it?
To be honest I do know know the ins and outs of the ipvs_nfct module
(though I have a feeling I am about to). But my understanding that
combining contrack and LVS looks like this.
LVS-NAT: Conntrack works as is
LVS-DR and LVS TUN (not FTP-DATA) Conntrack works if you use ipvs_nfct
LVS-DR and LVS TUN (FTP-DATA) Does not work, as LVS don't see
the packet _from_ the real server
with the port information.
--
Horms
|
