LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

[lvs-users] LVS-TUN and iptables

To: "'LinuxVirtualServer.org users mailing list.'" <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: [lvs-users] LVS-TUN and iptables
From: "Dan Brown" <danb@xxxxxx>
Date: Wed, 3 Dec 2008 16:11:40 -0600
I've got two geographically different clusters of servers hosting the same
sites in various server pairs.  There is a primary site and a secondary site
sharing the same subnets via BGP failover.  Additionally each site has their
own subnet which is not shared for the real server IPs.  The LVS directors
both sit behind the router on the primary site, and route traffic to other
servers behind that router via LVS-DR, or to the real servers at the
secondary site via LVS-TUN.

While testing a restricted access by IP site in the last couple of days I
came to realize that the LVS-TUN servers are not actually abiding by the
iptables rules setup for them.  At first I thought it was due to the traffic
coming in via IPv6>IPv4 tunnels but after adding a bunch of ip6tables rules,
the problem has not resolved.

The firewall rules for iptables are setup for the real servers on eth0 for
both the LVS-DR server and the LVS-TUN server.  On the LVS-DR server the
non-arp'd IPs are setup as aliases on the loopback (lo0) device.  On the
LVS-TUN servers the IPs are aliases on the tunl0 device.  The tunl0 I
originally gave an IP of 192.168.10.5 as it served no purpose by itself
other than to exist but I've since re-started the device with the same IP as
eth0 but this has had no effect either.   This only affects the tunnelled
traffic.  If I block everything except traffic to the server from the
director I still get traffic through to the remote server.
eg. iptables -I INPUT -s ! lvsdirector -d ! lvscheckhost -p tcp --dport 80
-i eth0 -j REJECT

So how to I make the server at the end of the tunnel filter via iptables the
traffic redirected from the LVS directors?  Is a second set of rules
required for the tunl0 interface and it's aliases?

___________________________________________________
Dan Brown
danb@xxxxxx



_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

<Prev in Thread] Current Thread [Next in Thread>