Re: [lvs-users] IPVSADM/IPTables question

To: " users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: [lvs-users] IPVSADM/IPTables question
From: Joseph Mack NA3T <jmack@xxxxxxxx>
Date: Wed, 12 Sep 2007 10:25:31 -0700 (PDT)
On Wed, 12 Sep 2007, Gary W. Smith wrote:

> I need to put together a firewall for a site that will 
> also have a need for ipvsadm services running with it. 
> Our original idea was to forward several of the external 
> IP's into a second box, behind the wall, running ipvsadm.

I assume you mean the box is a director.

> When rethinking about the problem, we thought that we 
> might be able to just run iptables and ipvsadm on the same 
> box.  I recall from an issue I had a couple years back 
> that this might not be possible.  So I'm checking to see 
> if it is and if so, what I should expect.

sometimes it works OK and sometimes it doesn't.

> * Firewall would be on eth0
> * Firewall would also have aliases for,, and on eth0

use secondary IPs not aliases.

> iptables would have this:
> -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

accept nic:VIP:port, all else reject

you don't want people connecting from the outside world to 
anything but the VIP:port


Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) wm7d (dot) net - azimuthal equidistant map
generator at
Homepage It's GNU/Linux!

<Prev in Thread] Current Thread [Next in Thread>