[lvs-users] Blocking LVS probles with iptables

To: " users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: [lvs-users] Blocking LVS probles with iptables
From: Hallvard Breien Furuseth <h.b.furuseth@xxxxxxxxxxx>
Date: Mon, 20 Nov 2017 15:38:59 +0100
I want a realserver to temporarily tell the load balancer to not
send new connections, but to keep old connections.  This seems to
work, is it OK?

   LB_dip=  # Load balancer - director
   iptables -A INPUT -i eth0 -s $LB_dip -p tcp --syn -j REJECT \
                     -m time --datestop 2017-11-20T18:30

Tunneling/Direct routing.  LVS probes just connect and disconnect.

I don't remember why the --syn is there, maybe we should drop it
for simplicity.  The --datestop is because we'll forget to unblock
probes someday, and then we'd wonder why the server doesn't work.

Should make an IPv6 version too.

Full "minimal" iptables, interested in nothing but load balancing:

LB_dip=  # Load balancer - director
LB_vip=     # Load balancer - virtual IP address

# Handle most of the traffic early. Not needed in with these minimal rules.
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# Let through tunnel traffic from load balancer
-A INPUT -i eth0 -s $LB_dip -p 4 -j ACCEPT
-A INPUT -i tunl0 -j ACCEPT

# LB_hook is usually empty
-N LB_hook
-A INPUT -j LB_hook
# Temporarily blocking new connections from load balancer.
-A LB_hook -i eth0 -s $LB_dip -p tcp --syn -j REJECT \
                     -m time --datestop 2017-11-20T18:30

# Reject ipip tunnel traffic from elsewhere than $LB_dip
-A INPUT -p 4 -j DROP

# Keep packets small enough to fit in a tunneled packet
-A OUTPUT -s $LB_vip -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN,ACK -j 
TCPMSS --set-mss 1440

Please read the documentation before posting - it's available at: mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to

<Prev in Thread] Current Thread [Next in Thread>