|
> > What behaviour stays the same as what?
> Here is the scenerio:
> 1) The director is configured, and only has ssh running as a
> local server.
> 2) The director is load balancing only port 100
> If I am on a client machine, should I be able to do "ssh
> vip", and still get to the director ?
> Or should the connection be refused, since the VIP should
> only really care about port 100?
The director will listen only on services wherein you set it up for. You
have to define IP & port with ipvsadm, or whatever front-end tool you use.
(ldirectord, keepalived, pirahna, etc.).
SSH VIP will probably work, but not because of anything LVS does. By default
most sshd's are setup to listen on all addresses. If you do "netstat -anp |
grep 22", you will probably see something like:
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
658/sshd
You could direct sshd to only listen on certain Ips. E.g.,
ListenAddress 10.5.23.31
ListenAddress 127.0.0.1
tcp 0 0 127.0.0.1:22 0.0.0.0:* LISTEN
779/sshd
tcp 0 0 10.5.23.31:22 0.0.0.0:* LISTEN
779/sshd
> > you don't need iptables rules to set up an LVS.
> I mean, depending on the answer to the above question, would
> I need to use iptables, if I wanted
> to block all access to local services on the director that
> are going to VIP. So "ssh dip" would
> work,
> but "ssh vip" would not work, even though they are both the
> same machine.
Iptables is a really good idea. A state-filtering packet filter helps your
security a lot.
P
|
