|
On Fri, 21 Sep 2007, Gerry Reno wrote:
> Ok, what I've found is that if I set the 'hit_count' high to say 100
> then I can login but the connection dies very quickly (actually it just
> hangs). So I think the limit rule is applying to more than just NEW
> packets. The higher that I set 'hit_count' the longer the connection
> will last. So is there something wrong with the way I've implemented
> this or is this a bug in iptables or the kernel?
Is this your problem? It's the tail (not in the HOWTO yet)
of an off-list exchange from a similar sounding problem. You
can start here
http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-HOWTO.filter_rules.html#gratuitous_icmp
Joe
--------------
From: Klaas Jan Wierenga <k.j.wierenga@xxxxxxx>
To: Joseph Mack NA3T <jmack@xxxxxxxx>
Cc: Horms <horms@xxxxxxxxxxxx>, Graeme Fowler <graeme@xxxxxxxxxxx>
Subject: Re: lvs: off-list: Re: Long sessions through LVS DR
director terminatedbyicmp-host-prohibited (ICMP type 3 code
10)
Hi all,
Not really. It appears to be a netfilter problem because
when I changed my firewall rules (/etc/sysconfig/iptables)
to disable connection tracking, the problem went away.
# Don't do connection tracking on port 80 and 8000 because
sometimes it results in dropped connections due to
ICMP_HOST_UNREACHABLE messages
#-A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 80 --state NEW -j ACCEPT
#-A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 8000 --state NEW -j
ACCEPT -A RH-Firewall-1-INPUT -p tcp --dport 80 -j ACCEPT -A
RH-Firewall-1-INPUT -p tcp --dport 8000 -j ACCEPT
--
Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) wm7d (dot) net - azimuthal equidistant map
generator at http://www.wm7d.net/azproj.shtml
Homepage http://www.austintek.com/ It's GNU/Linux!
|
