Re: [lvs-users] Blocking LVS probles with iptables

To:	lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject:	Re: [lvs-users] Blocking LVS probles with iptables
From:	Michael Schwartzkopff <ms@xxxxxxx>
Date:	Mon, 20 Nov 2017 15:55:14 +0100

Am 20.11.2017 um 15:38 schrieb Hallvard Breien Furuseth:
> I want a realserver to temporarily tell the load balancer to not
> send new connections, but to keep old connections.  This seems to
> work, is it OK?

Why you just set its weight to zero?

>    LB_dip=111.22.33.44/31  # Load balancer - director
>    iptables -A INPUT -i eth0 -s $LB_dip -p tcp --syn -j REJECT \
>                      -m time --datestop 2017-11-20T18:30
>
> Tunneling/Direct routing.  LVS probes just connect and disconnect.
>
> I don't remember why the --syn is there, maybe we should drop it
> for simplicity.  The --datestop is because we'll forget to unblock
> probes someday, and then we'd wonder why the server doesn't work.
>
> Should make an IPv6 version too.
>
>
>
> Full "minimal" iptables, interested in nothing but load balancing:
>
> LB_dip=111.22.33.44/31  # Load balancer - director
> LB_vip=111.22.33.55     # Load balancer - virtual IP address
>
> # Handle most of the traffic early. Not needed in with these minimal rules.
> -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
>
> # Let through tunnel traffic from load balancer
> -A INPUT -i eth0 -s $LB_dip -p 4 -j ACCEPT
> -A INPUT -i tunl0 -j ACCEPT
>
> # LB_hook is usually empty
> -N LB_hook
> -A INPUT -j LB_hook
> # Temporarily blocking new connections from load balancer.
> -A LB_hook -i eth0 -s $LB_dip -p tcp --syn -j REJECT \
>                      -m time --datestop 2017-11-20T18:30
>
> # Reject ipip tunnel traffic from elsewhere than $LB_dip
> -A INPUT -p 4 -j DROP
>
> # Keep packets small enough to fit in a tunneled packet
> -A OUTPUT -s $LB_vip -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN,ACK -j 
> TCPMSS --set-mss 1440
>
> _______________________________________________
> Please read the documentation before posting - it's available at:
> http://www.linuxvirtualserver.org/
>
> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://lists.graemef.net/mailman/listinfo/lvs-users


Mit freundlichen Grüßen,

-- 

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein

signature.asc
Description: OpenPGP digital signature

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

<Prev in Thread]	Current Thread	[Next in Thread>
[lvs-users] Blocking LVS probles with iptables, Hallvard Breien Furuseth Re: [lvs-users] Blocking LVS probles with iptables, Michael Schwartzkopff <= Re: [lvs-users] Blocking LVS probles with iptables, Hallvard Breien Furuseth

Previous by Date:	[lvs-users] Blocking LVS probles with iptables, Hallvard Breien Furuseth
Next by Date:	Re: [lvs-users] Blocking LVS probles with iptables, Hallvard Breien Furuseth
Previous by Thread:	[lvs-users] Blocking LVS probles with iptables, Hallvard Breien Furuseth
Next by Thread:	Re: [lvs-users] Blocking LVS probles with iptables, Hallvard Breien Furuseth
Indexes:	[Date] [Thread] [Top] [All Lists]