|
Thomas Pedoussaut wrote:
> I came across a very strange problem.
>
I'm replying here to have a track in archive in case someone else has
the same issue.
> For one of my dozen of services ( a straight TCP connection), the
> TCP-FIN packets that are arriving on the load balancer are never passed
> to the real server.
>
> I activated the logs of iptable and could see the FIN packets being dropped.
> No idea why the FIN are dropped and not the other ones. I obviously have
> the --state ESTABLISHED,RELATED -j ACCEPT in my iptable rules.
>
Basically, all packets (SYN and non-SYN) are allowed by the "--state
NEW" iptables but not by the ESTABLISHED,RELATED, because the director
never sees the replies from the real server and so never creates a
conntrack for that connection.
When a FIN packet arrives, it is not validated as a --state NEW, because
it's flag FIN is activated and so, that particular packet is dropped.
> I had a quick look at /proc/net/ip_conntrack before, during and after
> the connection but nothing specific to that connection seems to be
> inserted (the module is loaded and other traffic gets tracked).
>
So the solution is to change the iptables rule from
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport $VPORT
-j ACCEPT
to
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport $VPORT -j ACCEPT
> Google doesn't really help. Someone had a similar problem last year but
> was never publicly solved.
>
And now I hope this post will get crawled and indexed.
--
Thomas Pedoussaut
http://www.synerginetworking.com/blog/
|
