Re: [lvs-users] Re : Re : IPVS and IPTABLES firewall

To: " users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: [lvs-users] Re : Re : IPVS and IPTABLES firewall
From: Siim Põder <siim@xxxxxxxxxxxxxxx>
Date: Wed, 15 Apr 2009 12:48:26 +0300

w y wrote:
> But now,  I am wondering if my way of firewalling is the good one :
> by default, everything is forbidden . And after, I open explicitly
> the ports  I want to open ...

Yes, you can do that, you just have to keep in mind how packets move in
IPVS. On the incoming path the packets come to INPUT and leave through
OUTPUT. On the outgoing path - for DR and TUN there usually isn't one.
However, in case of NAT, the packets go through FORWARD and are a bit
difficult to match because their source address is still the RS source
address and there is no conntrack (there is an iptables patch that
allows matching against ipvs connection table).

So you need to ACCEPT the VSIP:port in INPUT and make soure OUTPUT does
not block it. And if you use NAT, you must also ACCEPT the response
packets in FORWARD.

You can use -j LOG in the end of each DROP chain to debug a default-drop


Please read the documentation before posting - it's available at: mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to

<Prev in Thread] Current Thread [Next in Thread>