Re: LVS-Tun problem after firewall lockdown on Real Servers

To:	"LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject:	Re: LVS-Tun problem after firewall lockdown on Real Servers
Cc:	Joel Nimety <jnimety@xxxxxxxxxxxxxxxx>
From:	kwijibo@xxxxxxxxxx
Date:	Thu, 02 Jun 2005 10:20:32 -0600

I don't have much experience with IP-TUN so I don't
know what kind of tunneling it uses but it looks
like you are dropping the ipip protocol.


Joel Nimety wrote:

I'm having an issue using LVS-Tun after applying the following iptables
firewall on my real servers.  I'm load balancing LDAP port 389. If I
disable the firewall load balancing works fine.  Any ideas?

Here's a tcpdump from the director when trying to do an ldapsearch
against the vip from a 3rd server, anonymized for your viewing pleasure:

16:04:59.742656 IP DIP > RIP: IP CIP.52424 > VIP.389: S
427333213:427333213(0) win 5840 <mss
1460,sackOK,timestamp 828766132 0,nop,wscale 0> (ipip-proto-4)

16:04:59.742771 IP RIP > DIP: icmp 88: RIP protocol 4 port 60 unreachable



------------------------------------------------------------------------

[root@cybds01 root]# iptables -nL -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     tcp  --  !lo    *       0.0.0.0/0            127.0.0.0/8 
       reject-with icmp-port-unreachable
 186K   12M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
       state RELATED,ESTABLISHED
    3   180 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
 9930 1051K ACCEPT     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0
    0     0 REJECT     all  --  *      *       224.0.0.0/4          0.0.0.0/0   
       reject-with icmp-port-unreachable
 140K   23M PUB_IN     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
    0     0 PUB_IN     all  --  tunl0  *       0.0.0.0/0            0.0.0.0/0
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
       reject-with icmp-port-unreachable

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
       state RELATED,ESTABLISHED
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
       reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT 4088 packets, 999K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 TCPMSS     tcp  --  *      *       10.25.1.226          0.0.0.0/0   
       tcp flags:0x16/0x12 TCPMSS set 1440
 238K   17M PUB_OUT    all  --  *      eth0    0.0.0.0/0            0.0.0.0/0

Chain INT_IN (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
       reject-with icmp-port-unreachable

Chain INT_OUT (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain PAROLE (2 references)
 pkts bytes target     prot opt in     out     source               destination
29725 1785K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain PUB_IN (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
       icmp type 3
57926 4841K ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
       icmp type 8
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
       icmp type 0
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
       icmp type 11
29725 1785K PAROLE     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
       tcp dpt:389
    0     0 PAROLE     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
       tcp dpt:636
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
       udp dpt:389
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
       udp dpt:636
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
       state INVALID,NEW tcp dpt:23 limit: avg 5/sec burst 8 LOG flags 0 level 
4 prefix `audit'
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
       state INVALID,NEW tcp dpt:21 limit: avg 5/sec burst 8 LOG flags 0 level 
4 prefix `audit'
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
       state INVALID,NEW tcp dpt:143 limit: avg 5/sec burst 8 LOG flags 0 level 
4 prefix `audit'
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
       state INVALID,NEW tcp dpt:110 limit: avg 5/sec burst 8 LOG flags 0 level 
4 prefix `audit'
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
       state INVALID,NEW tcp dpt:79 limit: avg 5/sec burst 8 LOG flags 0 level 
4 prefix `audit'
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
       state INVALID,NEW tcp dpt:111 limit: avg 5/sec burst 8 LOG flags 0 level 
4 prefix `audit'
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
       state INVALID,NEW tcp dpt:512 limit: avg 5/sec burst 8 LOG flags 0 level 
4 prefix `audit'
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
       state INVALID,NEW tcp dpt:513 limit: avg 5/sec burst 8 LOG flags 0 level 
4 prefix `audit'
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
       state INVALID,NEW tcp dpt:98 limit: avg 5/sec burst 8 LOG flags 0 level 
4 prefix `audit'
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
       state INVALID,NEW tcp dpt:22 limit: avg 5/sec burst 8 LOG flags 0 level 
4 prefix `audit'
    0     0 LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
       state INVALID,NEW udp dpt:31337 limit: avg 5/sec burst 8 LOG flags 0 
level 4 prefix `audit'
    0     0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0
52206   16M REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
       reject-with icmp-port-unreachable

Chain PUB_OUT (1 references)
 pkts bytes target     prot opt in     out     source               destination
 238K   17M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0




------------------------------------------------------------------------

_______________________________________________
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://www.in-addr.de/mailman/listinfo/lvs-users

<Prev in Thread]	Current Thread	[Next in Thread>
LVS-Tun problem after firewall lockdown on Real Servers, Joel Nimety Re: LVS-Tun problem after firewall lockdown on Real Servers, kwijibo <= Re: LVS-Tun problem after firewall lockdown on Real Servers, Joel Nimety

Previous by Date:	LVS-Tun problem after firewall lockdown on Real Servers, Joel Nimety
Next by Date:	Problems with ipvsadm connection synchronization, Sebastiaan Veldhuisen
Previous by Thread:	LVS-Tun problem after firewall lockdown on Real Servers, Joel Nimety
Next by Thread:	Re: LVS-Tun problem after firewall lockdown on Real Servers, Joel Nimety
Indexes:	[Date] [Thread] [Top] [All Lists]