I'm having an issue using LVS-Tun after applying the following iptables
firewall on my real servers. I'm load balancing LDAP port 389. If I
disable the firewall load balancing works fine. Any ideas?
Here's a tcpdump from the director when trying to do an ldapsearch
against the vip from a 3rd server, anonymized for your viewing pleasure:
16:04:59.742656 IP DIP > RIP: IP CIP.52424 > VIP.389: S
427333213:427333213(0) win 5840 <mss
1460,sackOK,timestamp 828766132 0,nop,wscale 0> (ipip-proto-4)
16:04:59.742771 IP RIP > DIP: icmp 88: RIP protocol 4 port 60 unreachable
------------------------------------------------------------------------
[root@cybds01 root]# iptables -nL -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 REJECT tcp -- !lo * 0.0.0.0/0
127.0.0.0/8 reject-with icmp-port-unreachable
186K 12M ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
3 180 ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0
9930 1051K ACCEPT all -- eth1 * 0.0.0.0/0
0.0.0.0/0
0 0 REJECT all -- * * 224.0.0.0/4
0.0.0.0/0 reject-with icmp-port-unreachable
140K 23M PUB_IN all -- eth0 * 0.0.0.0/0
0.0.0.0/0
0 0 PUB_IN all -- tunl0 * 0.0.0.0/0
0.0.0.0/0
0 0 REJECT all -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 REJECT all -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT 4088 packets, 999K bytes)
pkts bytes target prot opt in out source
destination
0 0 TCPMSS tcp -- * * 10.25.1.226
0.0.0.0/0 tcp flags:0x16/0x12 TCPMSS set 1440
238K 17M PUB_OUT all -- * eth0 0.0.0.0/0
0.0.0.0/0
Chain INT_IN (0 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 REJECT all -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
Chain INT_OUT (0 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain PAROLE (2 references)
pkts bytes target prot opt in out source
destination
29725 1785K ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain PUB_IN (2 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 3
57926 4841K ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 8
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 0
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 11
29725 1785K PAROLE tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:389
0 0 PAROLE tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:636
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:389
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:636
0 0 LOG tcp -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW tcp dpt:23 limit: avg 5/sec burst
8 LOG flags 0 level 4 prefix `audit'
0 0 LOG tcp -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW tcp dpt:21 limit: avg 5/sec burst
8 LOG flags 0 level 4 prefix `audit'
0 0 LOG tcp -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW tcp dpt:143 limit: avg 5/sec
burst 8 LOG flags 0 level 4 prefix `audit'
0 0 LOG tcp -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW tcp dpt:110 limit: avg 5/sec
burst 8 LOG flags 0 level 4 prefix `audit'
0 0 LOG tcp -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW tcp dpt:79 limit: avg 5/sec burst
8 LOG flags 0 level 4 prefix `audit'
0 0 LOG tcp -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW tcp dpt:111 limit: avg 5/sec
burst 8 LOG flags 0 level 4 prefix `audit'
0 0 LOG tcp -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW tcp dpt:512 limit: avg 5/sec
burst 8 LOG flags 0 level 4 prefix `audit'
0 0 LOG tcp -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW tcp dpt:513 limit: avg 5/sec
burst 8 LOG flags 0 level 4 prefix `audit'
0 0 LOG tcp -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW tcp dpt:98 limit: avg 5/sec burst
8 LOG flags 0 level 4 prefix `audit'
0 0 LOG tcp -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW tcp dpt:22 limit: avg 5/sec burst
8 LOG flags 0 level 4 prefix `audit'
0 0 LOG udp -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW udp dpt:31337 limit: avg 5/sec
burst 8 LOG flags 0 level 4 prefix `audit'
0 0 DROP icmp -- * * 0.0.0.0/0
0.0.0.0/0
52206 16M REJECT all -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
Chain PUB_OUT (1 references)
pkts bytes target prot opt in out source
destination
238K 17M ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
------------------------------------------------------------------------
_______________________________________________
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://www.in-addr.de/mailman/listinfo/lvs-users