|
Appearently they are going through FORWARD - with the source IP of the
backend - instead of the sourceIP of the VIP - that the client actually
accessed.
Also - for some reason there's no state - so I had to allow ALL packages
with source-port of 80 or 443 in the FORWARD chain.
Not exactly great for a secure setup :(
Graeme Fowler said the following on 08/13/2012 01:46 PM:
> On Mon, 2012-08-13 at 13:20 +0200, Klavs Klavsen wrote:
>> Chain FORWARD (policy DROP)
>> target prot opt source destination
>> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW
>> tcp dpt:80
>> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW
>> tcp dpt:443
>> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
>> RELATED,ESTABLISHED
>> REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with
>> icmp-host-prohibited
> I'm not 100% sure, but it looks like this is your problem. Remove those
> rules and see what happens.
>
> * I say "not sure" because I'm not sure whether the incoming packets
> will traverse the FORWARD chain or be hoiked past it by ipvs.
>
> Graeme
>
>
> _______________________________________________
> Please read the documentation before posting - it's available at:
> http://www.linuxvirtualserver.org/
>
> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
--
Regards,
Klavs Klavsen, GSEC - kl@xxxxxxx - http://www.vsen.dk - Tlf. 61281200
"Those who do not understand Unix are condemned to reinvent it, poorly."
--Henry Spencer
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
|
