Re: [lvs-users] LVS Open Proxy Problem

To:	"LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject:	Re: [lvs-users] LVS Open Proxy Problem
From:	"Ahmad Amran Kapi" <r0kawa@xxxxxxxxx>
Date:	Tue, 16 Sep 2008 07:42:11 +0800

Hi,
 Below is the info that I can give you, please let me know what
details do you need to have to debug this info.
The servers is only for web server load balancing + high availability
using heartbeat. The director server acting also as a real server and
only have 2 servers using 3 IP . 1 is for VIP and 2 for Real IP .
http://www.ultramonkey.org/3/topologies/sl-ha-lb-overview.html

[root@luigi ~]# cat /etc/redhat-release
CentOS release 5 (Final)
[root@luigi ~]# uname -a
Linux luigi 2.6.18-53.1.14.el5 #1 SMP Wed Mar 5 11:36:49 EST 2008 i686
i686 i386 GNU/Linux

[root@mario ~]# ipvsadm --version
ipvsadm v1.24 2003/06/07 (compiled with popt and IPVS v1.2.0)

iptables is empty and what I can think of is the default sysctl.conf
is allow IP forwarding because of LVS DR setting

    # Change the default TTL to help obscure OS fingerprinting
    net.ipv4.ip_default_ttl = 128



  # Enable packet forwarding
   net.ipv4.ip_forward = 1


  # hide lo to make lo didnt answer arp request
  net.ipv4.conf.all.arp_ignore = 1
  net.ipv4.conf.eth0.arp_ignore = 1
  net.ipv4.conf.all.arp_announce = 2
  net.ipv4.conf.eth0.arp_announce = 2


At first I though that my server has been hacked, but after I check
other site with the same setting (I've 2 setup in different location)
the result is the same. Local user can use the LVS server to become a
proxy. Any suggestion where I need to look into ?

-amran-

On Mon, Sep 15, 2008 at 4:27 PM, Graeme Fowler <graeme@xxxxxxxxxxx> wrote:
> Ahmad
>
> On Mon, 2008-09-15 at 14:51 +0800, Ahmad Amran Kapi wrote:
>> I've setup LVS successfully using LVS-DR  with two servers . The
>> problem however because of some company policy, we're blocking some
>> website from our internal user, but the user can skip this blocking by
>> using the LVS server. e.g
>> They have setup browser to use LVS ip using port 80 to use in their
>> browser. Is there any way I can block user to use my LVS server from
>> using it as a proxy ?
>
> I think you need to give us more information - your LVS clearly isn't
> frontending a bunch of mail servers, for example!
>
> What are you load balancing - squid, apache, something else?
>
> Whatever it is it sounds as though this is an application issue, not
> LVS.
>
> Graeme
>
>
> _______________________________________________
> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>



-- 
Ahmad Amran Kapi
Art In Software Sdn Bhd
Suite 2.5 Inkubator K-Ekonomi
75450 Ayer Keroh
Melaka.
06-2322464 / 013-6102545
http://www.aist.com.my

<Prev in Thread]	Current Thread	[Next in Thread>
[lvs-users] LVS Open Proxy Problem, Ahmad Amran Kapi Re: [lvs-users] LVS Open Proxy Problem, Graeme Fowler Re: [lvs-users] LVS Open Proxy Problem, Ahmad Amran Kapi <= Re: [lvs-users] LVS Open Proxy Problem, Graeme Fowler

Previous by Date:	Re: [lvs-users] LVS + Xen + NAT, Josh Mullis
Next by Date:	[lvs-users] IPVS + heartbeat setup, Umar
Previous by Thread:	Re: [lvs-users] LVS Open Proxy Problem, Graeme Fowler
Next by Thread:	Re: [lvs-users] LVS Open Proxy Problem, Graeme Fowler
Indexes:	[Date] [Thread] [Top] [All Lists]