|
Hello,
On Thu, 16 Aug 2018, Viktor Nonov wrote:
> Hello Julian,
>
> Your answer helped me solve the problem:
>
> Since the box has its public facing interface setup with $DIP and an alias
> interface for the $VIP I needed to make one more additional setting shown
> below.
>
> Replacing the route enabled successfully sending and delivering the SYN
> packet to one of the real servers, but the SYN-ACK packet that was received
> was considered by the kernel a martian packet since the source IP was $VIP
> (assigned to the director's local interface) and destination IP - the $DIP.
> This was solved by setting accept_local to 1:
> sysctl -w net.ipv4.conf.all.accept_local=1
Yes, I forgot about that requirement.
> So in summary:
> ip route replace local $VIP dev $DEV proto kernel scope host src $DIP
> sysctl -w net.ipv4.conf.all.accept_local=1
>
> Not sure if setting accept_local to 1 will lead to other problems, but
> everything works okay for now.
The danger is for services like echo/7/udp (see /etc/services)
but anyways, such spoofing should be prevented in the uplink
router by dropping packets with saddr that matches your public
subnet and coming from external interface. If not possible,
all your machines on the LAN with public IP should have MAC
rules to filter such traffic when coming from router's MAC.
Still, if the router has IP from your subnet (that you use as
DEF GW IP) it should be allowed, at least for ARP traffic.
Regards
--
Julian Anastasov <ja@xxxxxx>
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
|
