|
On Mon, 29 Nov 2010, devin wrote:
However sometimes we have clients who send us crazy amounts of traffic
:-(
and we end up having to block the traffic at the load
balancer/keepalived server using IPTABLES. We basically
configure IPTABLES to send a TCP RESET packet back to the
user's browser so that the browser will give up trying to
connect to our cluster.
This is the command we run on Linux to do the block.
/sbin/iptables -A INPUT -p tcp -m tcp --dport 80 -m string
--string "sid=3225" --algo bm --to 65535 -j REJECT
--reject-with tcp-reset
So I know sometimes this messes with the ActiveConn count,
and I am not sure if this is affecting LVS in any way as
we have to sometimes block a user for an entire day. So
the problem I notice with this is that the
“Activeconn” count just keeps building up as we are
rejecting the traffic for a while but does seem to cap off
at 32,000 connections per server right now.
You should be able to block these packets before ipvs() sees
them. What if you use PREROUTING as the chain?
Look at the diagram here
http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-HOWTO.filter_rules.html#path_of_an_ip_vs_packet
There's no INPUT in this diagram. However this (cough)
simplified diagram has INPUT
http://www.mikrotik.com/testdocs/ros/2.9/ip/flow.php
here's a better diagram
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables
Joe
--
Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) wm7d (dot) net - azimuthal equidistant map
generator at http://www.wm7d.net/azproj.shtml
Homepage http://www.austintek.com/ It's GNU/Linux! _______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
| 