|
On Wed, 12 Sep 2007, Gary W. Smith wrote:
> I need to put together a firewall for a site that will
> also have a need for ipvsadm services running with it.
> Our original idea was to forward several of the external
> IP's into a second box, behind the wall, running ipvsadm.
I assume you mean the box is a director.
> When rethinking about the problem, we thought that we
> might be able to just run iptables and ipvsadm on the same
> box. I recall from an issue I had a couple years back
> that this might not be possible. So I'm checking to see
> if it is and if so, what I should expect.
sometimes it works OK and sometimes it doesn't.
> * Firewall would be 1.1.1.2 on eth0
> * Firewall would also have aliases for 1.1.1.3, 1.1.1.4, and 1.1.1.5 on eth0
use secondary IPs not aliases.
> iptables would have this:
>
> -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
accept nic:VIP:port, all else reject
you don't want people connecting from the outside world to
anything but the VIP:port
Joe
--
Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) wm7d (dot) net - azimuthal equidistant map
generator at http://www.wm7d.net/azproj.shtml
Homepage http://www.austintek.com/ It's GNU/Linux!
|
