|
Hello,
On Fri, 4 Jun 2004, Nielsen, Steve wrote:
> I want to establish iptables rules which will do the following:
>
> 1. Disallow all new connections from the outside to the lvs box except for
> traffic destined for the VIP/ports I have defined in LVS.
> 2. Allow inbound/outbound traffic for established/related connections on the
> LVS box.
>
> So in a sense the lvs box is a "firewall" but only to protect itself.
>
> I have read the LVS HOW-TO section 17.1 which talks about running LVS and
> netfilter together on the same box. It mentions the ipvs_nfct module. Do I
> need to do this for this situation? The HOW-TO is not very clear. It
> mentions on one hand in section 17.1 that you need the nfct module but then
> at the end of 17.1 it says: "You can (and always have been able to) use
> firewall rules that match by device, proto, port or IP, without using ipvs
> netfilter connection tracking module, ipvs_nfct.". So my question is when do
> you need the module and when do you not need it?
You need ipvs_nfct to support -m state iptables syntax. As you
know you do not need always -m state. That is the only functionality
provided from ipvs_nfct. It works in such cases:
- NAT: any kind of traffic including FTP-DATA
- DR/TUN: not for related connections (expectations), eg. FTP-DATA
The HOWTO explains the worst case example, FTP with NAT:
17.5. LVS-NAT netfilter conntrack example with ftp
Using 'modprobe ip_nat_ftp' is optional and ip_nat_ftp needs
fix:
http://marc.theaimsgroup.com/?l=linux-netdev&m=108220842129842&w=2
> Thanks,
> Steve
Regards
--
Julian Anastasov <ja@xxxxxx>
|
