|
> It appears I need to give chapter 17 of the howto a better
> look, I did use
> connection tracking on my director and was dropping packets with the
> following rule:
> iptables --append INPUT --match state --state INVALID -j DROP
>
> This rule dropped all the ACK's the realserver wanted to send
> the client
> when the connection was closed, resulting in the client
> waiting for ACK's
> and, if not receiving them for some time, send out another
> batch of FIN's
> (which were also dropped) resulting in a very slow request...
> I suppose I
> have to take a look at ipvs_nfct for this.
I had been thinking about switching to the rule you listed above, glad I
didn't now. Thanks for being the guinea pig :). Question : I am using these
invalid state rules. What are the flags being sent on your ACK & FINs?
According to RFCs, all the below should never occur. Do they here? I assume
not since everything seems to be working well for me, but I am not pushing
the bandwidth you are..
# deny invalid state packets
# - all bits cleared
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
$IPTABLES -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP
# - syn & fin both set
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPTABLES -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
# - syn & rst both set
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPTABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# - fin & rst both set
$IPTABLES -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
$IPTABLES -A FORWARD -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
# - fin & no ack
$IPTABLES -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
$IPTABLES -A FORWARD -p tcp --tcp-flags ACK,FIN FIN -j DROP
# - psh & no ack
$IPTABLES -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
$IPTABLES -A FORWARD -p tcp --tcp-flags ACK,PSH PSH -j DROP
# - urg & no ack
$IPTABLES -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
$IPTABLES -A FORWARD -p tcp --tcp-flags ACK,URG URG -j DROP
Regards,
P
|
