LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: LVS-Tun problem after firewall lockdown on Real Servers

To: "LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: LVS-Tun problem after firewall lockdown on Real Servers
From: Joel Nimety <jnimety@xxxxxxxxxxxxxxx>
Date: Mon, 06 Jun 2005 09:16:44 -0400
Thanks for the hint.  Explicitly accepting protocol 4 (ipip) did the trick:

iptables -I INPUT -j ACCEPT --proto 4

-- Joel


kwijibo@xxxxxxxxxx wrote:
I don't have much experience with IP-TUN so I don't
know what kind of tunneling it uses but it looks
like you are dropping the ipip protocol.


Joel Nimety wrote:

I'm having an issue using LVS-Tun after applying the following iptables
firewall on my real servers.  I'm load balancing LDAP port 389. If I
disable the firewall load balancing works fine.  Any ideas?

Here's a tcpdump from the director when trying to do an ldapsearch
against the vip from a 3rd server, anonymized for your viewing pleasure:

16:04:59.742656 IP DIP > RIP: IP CIP.52424 > VIP.389: S
427333213:427333213(0) win 5840 <mss
1460,sackOK,timestamp 828766132 0,nop,wscale 0> (ipip-proto-4)

16:04:59.742771 IP RIP > DIP: icmp 88: RIP protocol 4 port 60 unreachable



------------------------------------------------------------------------

[root@cybds01 root]# iptables -nL -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination 0 0 REJECT tcp -- !lo * 0.0.0.0/0 127.0.0.0/8 reject-with icmp-port-unreachable 186K 12M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 3 180 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 9930 1051K ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0 0 0 REJECT all -- * * 224.0.0.0/4 0.0.0.0/0 reject-with icmp-port-unreachable 140K 23M PUB_IN all -- eth0 * 0.0.0.0/0 0.0.0.0/0 0 0 PUB_IN all -- tunl0 * 0.0.0.0/0 0.0.0.0/0 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT 4088 packets, 999K bytes)
pkts bytes target prot opt in out source destination 0 0 TCPMSS tcp -- * * 10.25.1.226 0.0.0.0/0 tcp flags:0x16/0x12 TCPMSS set 1440 238K 17M PUB_OUT all -- * eth0 0.0.0.0/0 0.0.0.0/0

Chain INT_IN (0 references)
pkts bytes target prot opt in out source destination 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable

Chain INT_OUT (0 references)
pkts bytes target prot opt in out source destination 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0

Chain PAROLE (2 references)
pkts bytes target prot opt in out source destination 29725 1785K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0

Chain PUB_IN (2 references)
pkts bytes target prot opt in out source destination 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3 57926 4841K ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 0 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11 29725 1785K PAROLE tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:389 0 0 PAROLE tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:636 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:389 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:636 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW tcp dpt:23 limit: avg 5/sec burst 8 LOG flags 0 level 4 prefix `audit' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW tcp dpt:21 limit: avg 5/sec burst 8 LOG flags 0 level 4 prefix `audit' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW tcp dpt:143 limit: avg 5/sec burst 8 LOG flags 0 level 4 prefix `audit' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW tcp dpt:110 limit: avg 5/sec burst 8 LOG flags 0 level 4 prefix `audit' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW tcp dpt:79 limit: avg 5/sec burst 8 LOG flags 0 level 4 prefix `audit' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW tcp dpt:111 limit: avg 5/sec burst 8 LOG flags 0 level 4 prefix `audit' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW tcp dpt:512 limit: avg 5/sec burst 8 LOG flags 0 level 4 prefix `audit' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW tcp dpt:513 limit: avg 5/sec burst 8 LOG flags 0 level 4 prefix `audit' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW tcp dpt:98 limit: avg 5/sec burst 8 LOG flags 0 level 4 prefix `audit' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW tcp dpt:22 limit: avg 5/sec burst 8 LOG flags 0 level 4 prefix `audit' 0 0 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW udp dpt:31337 limit: avg 5/sec burst 8 LOG flags 0 level 4 prefix `audit' 0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 52206 16M REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable

Chain PUB_OUT (1 references)
pkts bytes target prot opt in out source destination 238K 17M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0




------------------------------------------------------------------------

_______________________________________________
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://www.in-addr.de/mailman/listinfo/lvs-users



--
Joel Nimety
Perimeter Internetworking Corp.
203.541.3416

------------------------------------------------------------------------
This e-mail transmission may contain information that is proprietary,
privileged and/or confidential and is intended exclusively for the
person(s) to whom it is addressed. Any use, copying, retention or
disclosure by any person other than the intended recipient or the
intended recipient's designees is strictly prohibited. If you have
received this message in error, please notify the sender immediately by
return e-mail and delete all copies.

<Prev in Thread] Current Thread [Next in Thread>