Re: LVS-Tun problem after firewall lockdown on Real Servers

To:	"LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject:	Re: LVS-Tun problem after firewall lockdown on Real Servers
From:	Joel Nimety <jnimety@xxxxxxxxxxxxxxx>
Date:	Mon, 06 Jun 2005 09:16:44 -0400

Thanks for the hint.  Explicitly accepting protocol 4 (ipip) did the trick:

iptables -I INPUT -j ACCEPT --proto 4

-- Joel


kwijibo@xxxxxxxxxx wrote:

I don't have much experience with IP-TUN so I don't
know what kind of tunneling it uses but it looks
like you are dropping the ipip protocol.


Joel Nimety wrote:
I'm having an issue using LVS-Tun after applying the following iptables
firewall on my real servers.  I'm load balancing LDAP port 389. If I
disable the firewall load balancing works fine.  Any ideas?

Here's a tcpdump from the director when trying to do an ldapsearch
against the vip from a 3rd server, anonymized for your viewing pleasure:

16:04:59.742656 IP DIP > RIP: IP CIP.52424 > VIP.389: S
427333213:427333213(0) win 5840 <mss
1460,sackOK,timestamp 828766132 0,nop,wscale 0> (ipip-proto-4)

16:04:59.742771 IP RIP > DIP: icmp 88: RIP protocol 4 port 60 unreachable



------------------------------------------------------------------------

[root@cybds01 root]# iptables -nL -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out sourcedestination0 0 REJECT tcp -- !lo * 0.0.0.0/0127.0.0.0/8 reject-with icmp-port-unreachable186K 12M ACCEPT all -- * * 0.0.0.0/00.0.0.0/0 state RELATED,ESTABLISHED3 180 ACCEPT all -- lo * 0.0.0.0/00.0.0.0/09930 1051K ACCEPT all -- eth1 * 0.0.0.0/00.0.0.0/00 0 REJECT all -- * * 224.0.0.0/40.0.0.0/0 reject-with icmp-port-unreachable140K 23M PUB_IN all -- eth0 * 0.0.0.0/00.0.0.0/00 0 PUB_IN all -- tunl0 * 0.0.0.0/00.0.0.0/00 0 REJECT all -- * * 0.0.0.0/00.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out sourcedestination0 0 ACCEPT all -- * * 0.0.0.0/00.0.0.0/0 state RELATED,ESTABLISHED0 0 REJECT all -- * * 0.0.0.0/00.0.0.0/0 reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT 4088 packets, 999K bytes)
pkts bytes target prot opt in out sourcedestination0 0 TCPMSS tcp -- * * 10.25.1.2260.0.0.0/0 tcp flags:0x16/0x12 TCPMSS set 1440238K 17M PUB_OUT all -- * eth0 0.0.0.0/00.0.0.0/0
Chain INT_IN (0 references)
pkts bytes target prot opt in out sourcedestination0 0 ACCEPT icmp -- * * 0.0.0.0/00.0.0.0/00 0 REJECT all -- * * 0.0.0.0/00.0.0.0/0 reject-with icmp-port-unreachable
Chain INT_OUT (0 references)
pkts bytes target prot opt in out sourcedestination0 0 ACCEPT icmp -- * * 0.0.0.0/00.0.0.0/00 0 ACCEPT all -- * * 0.0.0.0/00.0.0.0/0
Chain PAROLE (2 references)
pkts bytes target prot opt in out sourcedestination29725 1785K ACCEPT all -- * * 0.0.0.0/00.0.0.0/0
Chain PUB_IN (2 references)
pkts bytes target prot opt in out sourcedestination0 0 ACCEPT icmp -- * * 0.0.0.0/00.0.0.0/0 icmp type 357926 4841K ACCEPT icmp -- * * 0.0.0.0/00.0.0.0/0 icmp type 80 0 ACCEPT icmp -- * * 0.0.0.0/00.0.0.0/0 icmp type 00 0 ACCEPT icmp -- * * 0.0.0.0/00.0.0.0/0 icmp type 1129725 1785K PAROLE tcp -- * * 0.0.0.0/00.0.0.0/0 tcp dpt:3890 0 PAROLE tcp -- * * 0.0.0.0/00.0.0.0/0 tcp dpt:6360 0 ACCEPT udp -- * * 0.0.0.0/00.0.0.0/0 udp dpt:3890 0 ACCEPT udp -- * * 0.0.0.0/00.0.0.0/0 udp dpt:6360 0 LOG tcp -- * * 0.0.0.0/00.0.0.0/0 state INVALID,NEW tcp dpt:23 limit: avg 5/sec burst8 LOG flags 0 level 4 prefix `audit'0 0 LOG tcp -- * * 0.0.0.0/00.0.0.0/0 state INVALID,NEW tcp dpt:21 limit: avg 5/sec burst8 LOG flags 0 level 4 prefix `audit'0 0 LOG tcp -- * * 0.0.0.0/00.0.0.0/0 state INVALID,NEW tcp dpt:143 limit: avg 5/secburst 8 LOG flags 0 level 4 prefix `audit'0 0 LOG tcp -- * * 0.0.0.0/00.0.0.0/0 state INVALID,NEW tcp dpt:110 limit: avg 5/secburst 8 LOG flags 0 level 4 prefix `audit'0 0 LOG tcp -- * * 0.0.0.0/00.0.0.0/0 state INVALID,NEW tcp dpt:79 limit: avg 5/sec burst8 LOG flags 0 level 4 prefix `audit'0 0 LOG tcp -- * * 0.0.0.0/00.0.0.0/0 state INVALID,NEW tcp dpt:111 limit: avg 5/secburst 8 LOG flags 0 level 4 prefix `audit'0 0 LOG tcp -- * * 0.0.0.0/00.0.0.0/0 state INVALID,NEW tcp dpt:512 limit: avg 5/secburst 8 LOG flags 0 level 4 prefix `audit'0 0 LOG tcp -- * * 0.0.0.0/00.0.0.0/0 state INVALID,NEW tcp dpt:513 limit: avg 5/secburst 8 LOG flags 0 level 4 prefix `audit'0 0 LOG tcp -- * * 0.0.0.0/00.0.0.0/0 state INVALID,NEW tcp dpt:98 limit: avg 5/sec burst8 LOG flags 0 level 4 prefix `audit'0 0 LOG tcp -- * * 0.0.0.0/00.0.0.0/0 state INVALID,NEW tcp dpt:22 limit: avg 5/sec burst8 LOG flags 0 level 4 prefix `audit'0 0 LOG udp -- * * 0.0.0.0/00.0.0.0/0 state INVALID,NEW udp dpt:31337 limit: avg 5/secburst 8 LOG flags 0 level 4 prefix `audit'0 0 DROP icmp -- * * 0.0.0.0/00.0.0.0/052206 16M REJECT all -- * * 0.0.0.0/00.0.0.0/0 reject-with icmp-port-unreachable
Chain PUB_OUT (1 references)
pkts bytes target prot opt in out sourcedestination238K 17M ACCEPT all -- * * 0.0.0.0/00.0.0.0/0
------------------------------------------------------------------------

_______________________________________________
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://www.in-addr.de/mailman/listinfo/lvs-users


--
Joel Nimety
Perimeter Internetworking Corp.
203.541.3416

------------------------------------------------------------------------
This e-mail transmission may contain information that is proprietary,
privileged and/or confidential and is intended exclusively for the
person(s) to whom it is addressed. Any use, copying, retention or
disclosure by any person other than the intended recipient or the
intended recipient's designees is strictly prohibited. If you have
received this message in error, please notify the sender immediately by
return e-mail and delete all copies.

<Prev in Thread]	Current Thread	[Next in Thread>
LVS-Tun problem after firewall lockdown on Real Servers, Joel Nimety Re: LVS-Tun problem after firewall lockdown on Real Servers, kwijibo Re: LVS-Tun problem after firewall lockdown on Real Servers, Joel Nimety <=

Previous by Date:	Re: IPVSADM hangs with SMP kernel ??, Sebastiaan Veldhuisen
Next by Date:	RE: lvs active/active, PMilanese
Previous by Thread:	Re: LVS-Tun problem after firewall lockdown on Real Servers, kwijibo
Next by Thread:	Problems with ipvsadm connection synchronization, Sebastiaan Veldhuisen
Indexes:	[Date] [Thread] [Top] [All Lists]