|
I'm running LVS-NAT / Ldirector with the firewall running on the same
boxes. I've been running a similar iptables script on a 2.4.x kernel
(heartbeat 1.2.3) for years and have moved to a 2.4.18x kernel (Centos 5)
with heartbeat 3.0.3 & ldirector v1.186-ha. However, outbound real-server
traffic failed until I added a "fix" below on the firewall rules (see below).
(1) Ultimate problem: I'm getting a small % of clients with sporadic
(sometimes high at certain times) dropped http connections, the majority of
users seem to be across the pond; however, I have not been able to rule out
an problems on my side. I personally have never seen any connection
problems. I'm not necessary asking help for this, but first need to address
the following:
(2) I see some incoming dropped packets that should seem to be legitimate
(this also existed on the 2.4 version). Here's a sample:
CATCHALL -- DENY IN=eth0 OUT= MAC=xxx SRC=<outside_ip1> DST=<vip> LEN=52
TOS=0x00 PREC=0x00 TTL=54 ID=52546 DF PROTO=TCP SPT=32852 DPT=80
WINDOW=33120 RES=0x00 ACK FIN URGP=0
CATCHALL -- DENY IN=eth0 OUT= MAC=xxx SRC=<outside_ip2> DST=<vip> LEN=40
TOS=0x00 PREC=0x20 TTL=55 ID=37057 DF PROTO=TCP SPT=33069 DPT=80 WINDOW=27
RES=0x00 ACK FIN URGP=0
CATCHALL -- DENY IN=eth0 OUT= MAC=xxx SRC=<outside_ip3> DST=<vip> LEN=52
TOS=0x00 PREC=0x00 TTL=54 ID=48415 DF PROTO=TCP SPT=56014 DPT=80
WINDOW=1002 RES=0x00 ACK FIN URGP=0
CATCHALL -- DENY IN=eth0 OUT= MAC=xxx SRC=<outside_ip4> DST=<vip> LEN=40
TOS=0x00 PREC=0x20 TTL=51 ID=10009 DF PROTO=TCP SPT=8177 DPT=80
WINDOW=65535 RES=0x00 ACK FIN URGP=0
The outside IPs are legitimate going to a legitimate VIP. The drops are
sporadic and there doesn't appear to be any connections problems for the
majority of users, even if I see my own IPs getting dropped. Is this
normal? And why? I never see any drops on non-ldirector VIPs (except for
unwanted traffic).
(3) What are the best iptables practices for allowing the VIP traffic? I
haven't seen many LVS-NAT firewall scripts so I don't know if my chains are
good (especially per the "Fix" below, which was required to allow the
Ldirector VIP connections). I've seen a lot of stuff over the years but am
not sure with the newer kernels (okay, RHEL5 kernels are rather old).
Here is part of my condensed iptables script:
...
#
# Allow connections already established
#
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# allow everything on loopback
#
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
#
# HTTP VIP example
#
$IPTABLES -A INPUT -p tcp -d <vip> --destination-port 80 -m state --state
NEW -j ACCEPT
...
More stuff here (e.g. chains to other non-RIPs)
...
#
# NAT Rule
#
$IPTABLES -t nat -A POSTROUTING -j MASQUERADE -s $INET
#
# The Fix. Works to allow outgoing VIP traffic. Not sure if this is the
best. Required for 2.6.18x. Didn't need it on 2.4x
# eth0 is the outside interface, eth1 is the inside interface.
#
$IPTABLES -A OUTPUT -o eth1 -d $INET -j ACCEPT
#
# 'masquerading' rule
#
$IPTABLES -A INPUT -s $INET -j ACCEPT
$IPTABLES -A OUTPUT -s $INET -j ACCEPT
$IPTABLES -A FORWARD -s $INET -j ACCEPT
#
# Allow stuff originating from the firewall
#
$IPTABLES -A OUTPUT -s $OIP -m state --state NEW -j ACCEPT
#
# 'catch all' rule
#
$IPTABLES -N CATCHALL
$IPTABLES -A OUTPUT -j CATCHALL
$IPTABLES -A INPUT -j CATCHALL
$IPTABLES -A FORWARD -j CATCHALL
$IPTABLES -A CATCHALL -j LOG --log-level debug --log-prefix "CATCHALL -- DENY "
$IPTABLES -A CATCHALL -j DROP
Thanks!
Brent
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
|
