LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

LVS, firewalling, and masquerading

To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject: LVS, firewalling, and masquerading
From: Trevin Harlan <trevin@xxxxxxxxxxxxxxxxx>
Date: Wed, 23 Mar 2005 15:26:27 -0700
  I've set up a pair of machines running LVS with masquerading, and 
things are working just dandy.  However, I'd like to try and make things 
a little bit more secure, and I'm having a bit of a hard time.
My goals are:

- The director should masquerade for real servers on the internal network (all network traffic, not just the service that LVS is managing)
- The director should ONLY masquerade for internal cients - not 
something like "iptables -t nat -A POSTROUTING -j MASQUERADE", which 
will allow outside machines to masquerade as well.
- iptables should drop any new, incoming connection EXCEPT FOR the 
LVS-enabled service.
  I just can't seem to get all three working at once.  If someone with 
more expertise than I could suggest how to get that all working, I would 
greatly appreciate it.  After mangling my scripts for a couple of days, 
they're in such disarray that it's probably easiest to start fresh. 
Here is a bit more info:
director's external interface:  10.0.0.254 (/24)
director's internal interface:  10.0.1.254 (/24)
realservers:  10.0.1.1 - 10.0.1.2
service:  http

  Again, thanks in advance for any help.

Trevin Harlan


<Prev in Thread] Current Thread [Next in Thread>