LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

LVS-Tun problem after firewall lockdown on Real Servers

To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject: LVS-Tun problem after firewall lockdown on Real Servers
Cc: Joel Nimety <jnimety@xxxxxxxxxxxxxxxx>
From: Joel Nimety <jnimety@xxxxxxxxxxxxxxx>
Date: Thu, 02 Jun 2005 11:55:35 -0400
I'm having an issue using LVS-Tun after applying the following iptables
firewall on my real servers.  I'm load balancing LDAP port 389. If I
disable the firewall load balancing works fine.  Any ideas?

Here's a tcpdump from the director when trying to do an ldapsearch
against the vip from a 3rd server, anonymized for your viewing pleasure:

16:04:59.742656 IP DIP > RIP: IP CIP.52424 > VIP.389: S
427333213:427333213(0) win 5840 <mss
1460,sackOK,timestamp 828766132 0,nop,wscale 0> (ipip-proto-4)

16:04:59.742771 IP RIP > DIP: icmp 88: RIP protocol 4 port 60 unreachable


--
Joel Nimety
Perimeter Internetworking Corp.
203.541.3416

------------------------------------------------------------------------
This e-mail transmission may contain information that is proprietary,
privileged and/or confidential and is intended exclusively for the
person(s) to whom it is addressed. Any use, copying, retention or
disclosure by any person other than the intended recipient or the
intended recipient's designees is strictly prohibited. If you have
received this message in error, please notify the sender immediately by
return e-mail and delete all copies.

[root@cybds01 root]# iptables -nL -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     tcp  --  !lo    *       0.0.0.0/0            127.0.0.0/8 
       reject-with icmp-port-unreachable
 186K   12M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
       state RELATED,ESTABLISHED
    3   180 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
 9930 1051K ACCEPT     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0
    0     0 REJECT     all  --  *      *       224.0.0.0/4          0.0.0.0/0   
       reject-with icmp-port-unreachable
 140K   23M PUB_IN     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
    0     0 PUB_IN     all  --  tunl0  *       0.0.0.0/0            0.0.0.0/0
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
       reject-with icmp-port-unreachable

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
       state RELATED,ESTABLISHED
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
       reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT 4088 packets, 999K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 TCPMSS     tcp  --  *      *       10.25.1.226          0.0.0.0/0   
       tcp flags:0x16/0x12 TCPMSS set 1440
 238K   17M PUB_OUT    all  --  *      eth0    0.0.0.0/0            0.0.0.0/0

Chain INT_IN (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
       reject-with icmp-port-unreachable

Chain INT_OUT (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain PAROLE (2 references)
 pkts bytes target     prot opt in     out     source               destination
29725 1785K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain PUB_IN (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
       icmp type 3
57926 4841K ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
       icmp type 8
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
       icmp type 0
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
       icmp type 11
29725 1785K PAROLE     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
       tcp dpt:389
    0     0 PAROLE     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
       tcp dpt:636
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
       udp dpt:389
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
       udp dpt:636
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
       state INVALID,NEW tcp dpt:23 limit: avg 5/sec burst 8 LOG flags 0 level 
4 prefix `audit'
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
       state INVALID,NEW tcp dpt:21 limit: avg 5/sec burst 8 LOG flags 0 level 
4 prefix `audit'
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
       state INVALID,NEW tcp dpt:143 limit: avg 5/sec burst 8 LOG flags 0 level 
4 prefix `audit'
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
       state INVALID,NEW tcp dpt:110 limit: avg 5/sec burst 8 LOG flags 0 level 
4 prefix `audit'
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
       state INVALID,NEW tcp dpt:79 limit: avg 5/sec burst 8 LOG flags 0 level 
4 prefix `audit'
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
       state INVALID,NEW tcp dpt:111 limit: avg 5/sec burst 8 LOG flags 0 level 
4 prefix `audit'
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
       state INVALID,NEW tcp dpt:512 limit: avg 5/sec burst 8 LOG flags 0 level 
4 prefix `audit'
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
       state INVALID,NEW tcp dpt:513 limit: avg 5/sec burst 8 LOG flags 0 level 
4 prefix `audit'
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
       state INVALID,NEW tcp dpt:98 limit: avg 5/sec burst 8 LOG flags 0 level 
4 prefix `audit'
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
       state INVALID,NEW tcp dpt:22 limit: avg 5/sec burst 8 LOG flags 0 level 
4 prefix `audit'
    0     0 LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
       state INVALID,NEW udp dpt:31337 limit: avg 5/sec burst 8 LOG flags 0 
level 4 prefix `audit'
    0     0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0
52206   16M REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
       reject-with icmp-port-unreachable

Chain PUB_OUT (1 references)
 pkts bytes target     prot opt in     out     source               destination
 238K   17M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0






<Prev in Thread] Current Thread [Next in Thread>