|
I actually expected to see some different rules than what I have.
Not sure what I need to add.
Here are my current tables.
(Spaces replaced with -'s for formatting)
iptables -L
Chain-INPUT(policyACCEPT)
target-prot-opt-source-destination
ACCEPT-udp--anywhere-anywhere-udp dpt:domain
ACCEPT-tcp--anywhere-anywhere-tcp dpt:domain
ACCEPT-udp--anywhere-anywhere-udp dpt:bootps
ACCEPT-tcp--anywhere-anywhere-tcp dpt:bootps
Chain-FORWARD(policyACCEPT)
target-prot-opt-source-destination
ACCEPT-all--anywhere-192.168.122.0/24-state-RELATED,ESTABLISHED
ACCEPT-all--192.168.122.0/24-anywhere
ACCEPT-all--anywhere-anywhere
REJECT-all--anywhere-anywhere-reject-with icmp-port-unreachable
REJECT-all--anywhere-anywhere-reject-with icmp-port-unreachable
ACCEPT-all--192.168.122.10-anywhere-PHYSDEV-match--physdev-in vif2.0
ACCEPT-udp--anywhere-anywhere-PHYSDEV-match--physdev-in-vif2.0-udp-spt:bootpc
dpt:bootps
Chain-OUTPUT-(policyACCEPT)
target-prot-opt-source-destination
On Wed, 2008-09-17 at 12:59 -0400, Laurentiu C. Badea (L.C.) wrote:
>
> Graeme Fowler wrote:
> > Simple question: does the realserver (the VM, 192.168.122.10) have a
> > route direct back to the 10.0.0.0/whatever network?
> >
>
> Xen creates a virtual bridge and adds a few iptables rules to control
> access and do NAT for its clients, while the host domain becomes their
> gateway. So you have the LVS setup sitting on top of a NAT router.
>
> I would take a look at the iptables setup and check the packet
> counters
> during a query, especially on reject rules. Then try to insert rules
> to
> make it work and make sure the ruleset is maintained across reboots
> (Xen
> dynamically inserts rules when the bridges are brought up).
>
> --
> Laurentiu
>
> _______________________________________________
> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>
>
|
