|
Hi
w y wrote:
> But now, I am wondering if my way of firewalling is the good one :
> by default, everything is forbidden . And after, I open explicitly
> the ports I want to open ...
Yes, you can do that, you just have to keep in mind how packets move in
IPVS. On the incoming path the packets come to INPUT and leave through
OUTPUT. On the outgoing path - for DR and TUN there usually isn't one.
However, in case of NAT, the packets go through FORWARD and are a bit
difficult to match because their source address is still the RS source
address and there is no conntrack (there is an iptables patch that
allows matching against ipvs connection table).
So you need to ACCEPT the VSIP:port in INPUT and make soure OUTPUT does
not block it. And if you use NAT, you must also ACCEPT the response
packets in FORWARD.
You can use -j LOG in the end of each DROP chain to debug a default-drop
firewall.
Siim
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
|
