I'm having an issue using LVS-Tun after applying the following iptables
firewall on my real servers. I'm load balancing LDAP port 389. If I
disable the firewall load balancing works fine. Any ideas?
Here's a tcpdump from the director when trying to do an ldapsearch
against the vip from a 3rd server, anonymized for your viewing pleasure:
16:04:59.742656 IP DIP > RIP: IP CIP.52424 > VIP.389: S
427333213:427333213(0) win 5840 <mss
1460,sackOK,timestamp 828766132 0,nop,wscale 0> (ipip-proto-4)
16:04:59.742771 IP RIP > DIP: icmp 88: RIP protocol 4 port 60 unreachable
--
Joel Nimety
Perimeter Internetworking Corp.
203.541.3416
------------------------------------------------------------------------
This e-mail transmission may contain information that is proprietary,
privileged and/or confidential and is intended exclusively for the
person(s) to whom it is addressed. Any use, copying, retention or
disclosure by any person other than the intended recipient or the
intended recipient's designees is strictly prohibited. If you have
received this message in error, please notify the sender immediately by
return e-mail and delete all copies.
[root@cybds01 root]# iptables -nL -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- !lo * 0.0.0.0/0 127.0.0.0/8
reject-with icmp-port-unreachable
186K 12M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
3 180 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
9930 1051K ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 REJECT all -- * * 224.0.0.0/4 0.0.0.0/0
reject-with icmp-port-unreachable
140K 23M PUB_IN all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 PUB_IN all -- tunl0 * 0.0.0.0/0 0.0.0.0/0
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-port-unreachable
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT 4088 packets, 999K bytes)
pkts bytes target prot opt in out source destination
0 0 TCPMSS tcp -- * * 10.25.1.226 0.0.0.0/0
tcp flags:0x16/0x12 TCPMSS set 1440
238K 17M PUB_OUT all -- * eth0 0.0.0.0/0 0.0.0.0/0
Chain INT_IN (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-port-unreachable
Chain INT_OUT (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain PAROLE (2 references)
pkts bytes target prot opt in out source destination
29725 1785K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain PUB_IN (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 3
57926 4841K ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 11
29725 1785K PAROLE tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:389
0 0 PAROLE tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:636
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:389
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:636
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID,NEW tcp dpt:23 limit: avg 5/sec burst 8 LOG flags 0 level
4 prefix `audit'
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID,NEW tcp dpt:21 limit: avg 5/sec burst 8 LOG flags 0 level
4 prefix `audit'
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID,NEW tcp dpt:143 limit: avg 5/sec burst 8 LOG flags 0 level
4 prefix `audit'
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID,NEW tcp dpt:110 limit: avg 5/sec burst 8 LOG flags 0 level
4 prefix `audit'
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID,NEW tcp dpt:79 limit: avg 5/sec burst 8 LOG flags 0 level
4 prefix `audit'
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID,NEW tcp dpt:111 limit: avg 5/sec burst 8 LOG flags 0 level
4 prefix `audit'
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID,NEW tcp dpt:512 limit: avg 5/sec burst 8 LOG flags 0 level
4 prefix `audit'
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID,NEW tcp dpt:513 limit: avg 5/sec burst 8 LOG flags 0 level
4 prefix `audit'
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID,NEW tcp dpt:98 limit: avg 5/sec burst 8 LOG flags 0 level
4 prefix `audit'
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID,NEW tcp dpt:22 limit: avg 5/sec burst 8 LOG flags 0 level
4 prefix `audit'
0 0 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID,NEW udp dpt:31337 limit: avg 5/sec burst 8 LOG flags 0
level 4 prefix `audit'
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0
52206 16M REJECT all -- * * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-port-unreachable
Chain PUB_OUT (1 references)
pkts bytes target prot opt in out source destination
238K 17M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
|