|
I've set up a pair of machines running LVS with masquerading, and
things are working just dandy. However, I'd like to try and make things
a little bit more secure, and I'm having a bit of a hard time.
My goals are:
- The director should masquerade for real servers on the internal
network (all network traffic, not just the service that LVS is managing)
- The director should ONLY masquerade for internal cients - not
something like "iptables -t nat -A POSTROUTING -j MASQUERADE", which
will allow outside machines to masquerade as well.
- iptables should drop any new, incoming connection EXCEPT FOR the
LVS-enabled service.
I just can't seem to get all three working at once. If someone with
more expertise than I could suggest how to get that all working, I would
greatly appreciate it. After mangling my scripts for a couple of days,
they're in such disarray that it's probably easiest to start fresh.
Here is a bit more info:
director's external interface: 10.0.0.254 (/24)
director's internal interface: 10.0.1.254 (/24)
realservers: 10.0.1.1 - 10.0.1.2
service: http
Again, thanks in advance for any help.
Trevin Harlan
|
