LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: [lvs-users] LVS-TUN and iptables

To: "'LinuxVirtualServer.org users mailing list.'" <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: [lvs-users] LVS-TUN and iptables
From: "Dan Brown" <danb@xxxxxx>
Date: Thu, 4 Dec 2008 02:04:29 -0600
On Dec 3, Joseph Mack NA3T wrote:
> On Wed, 3 Dec 2008, Dan Brown wrote:
> 
> > The firewall rules for iptables are setup for the real servers on
> eth0 for
> > both the LVS-DR server and the LVS-TUN server.
> Does it work OK without the iptables rules?

If you mean if I run iptables -F and -X and clear the tables to see if it
still accepts, yeah it does.

> > The tunl0 I originally gave an IP of 192.168.10.5 as it
> > served no purpose by itself other than to exist
> 
> the tunl device usually has the VIP

Well I don't use the tunl0 device itself for anything but not having that up
prevents me from having all of my tunl0:X (eg. tunl0:43 for say
216.94.145.43) aliases running, so I simply assigned it a non-useful IP.
Assigning it the IP of eth0, or some arbitrary private LAN IP appears to
have no effect on the availability of an IP as long as the tunl0 device is
up so that the VIPs on the aliases work as well.

> > If I block everything except traffic to the server from the
> > director I still get traffic through to the remote server.
> 
> I have no idea what this means.

Ok, so the LVS director runs a check on the following virtual IP setup via
ldirectord.conf via the standard methods.

# IP Address 216.94.145.43
virtual=216.94.145.43:80
        real=209.167.162.87:80 gate 1
        real=216.94.137.194:80 ipip 5
        persistent=3600
        service=http
        request=".lvs.html"
        receive="Test Message"
        scheduler=rr
        protocol=tcp
        checktype=negotiate

If on the real server getting tunneled traffic I block traffic via
ip(6)tables (on eth0) to the IP address 216.94.145.43 for ANY IP address,
but leave the director seeing the real server as up itself, I can still grab
content off of the site on 216.94.145.43 as though the iptables rules didn't
exist.  Obviously this shouldn't happen.  It works with LVS-DR because it's
coming in through eth0 as-is (and lo:X holds the VIP for it).  For LVS-TUN
it's coming in encapsulated through eth0 to the appropriate tunl0:X alias so
it doesn't seem appropriate to apply the iptables rules to tunl0.

In this specific case I figured out a solution for a single IP by simply
dropping the -i eth0 option.  However, this would become a mess quickly for
applying blanket rules across several subnets which is why it's been device
specific previously.  Should I instead be applying the filters on tunl0
instead? 

___________________________________________________
Dan Brown
danb@xxxxxx



_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

<Prev in Thread] Current Thread [Next in Thread>