Dropped fin acks (iptables + lvs)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi!

I am running iptables and lvs on two boxes loadbalancing http[s] and ssh traffic to two real servers.
Everything is working just fine from the users point of view. However, I keep seeing a lot of dropped packets of type ack/fin and ack/rst in my iptables log. Seems like the connection tracking isn't working the way I expect it to. The iptables config in short is:

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP
$IPTABLES -N Firewall-INPUT
$IPTABLES -A INPUT -j Firewall-INPUT
$IPTABLES -A FORWARD -j Firewall-INPUT
#This is the rule that should allow established connections, right?
$IPTABLES -A Firewall-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#The next rule allows everything from the inside. Since the above rule doesn't seem to work
#all replies from the webservers to the clients will be dropped if this rule is not in place.
$IPTABLES -A Firewall-INPUT -i eth1 -j ACCEPT
$IPTABLES -A Firewall-INPUT -d $VIP1_e -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
$IPTABLES -A Firewall-INPUT -d $VIP1_e -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
$IPTABLES -A Firewall-INPUT -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level debug --log-prefix "drop: "
$IPTABLES -A Firewall-INPUT -j DROP

And in the log I get lots this for each user session: 
Jan 24 16:46:11 10.0.1.107 kernel: drop: IN=eth0 OUT= MAC=00:15:c5:ee:48:a7:00:04:de:18:18:00:08:00 SRC=<CLIENTIP> DST=<$VIP1_e> LEN=52 TOS=0x00 PREC=0x00 TTL=49 ID=28407 PROTO=TCP SPT=48404 DPT=443 WINDOW=65535 RES=0x00 ACK FIN URGP=0

Why? Is there something about the connection tracking I'm not understanding?
If I do a 'cat /proc/net/ip_conntrack' on the director/fw, shouldn't I see connections between my external VIP and the clients IP? All I see there are connections between the director/fw and my webservers.

Any help is would be much appreciated.

Regards,
Patrik

Om du är singel och vill träffa någon, besök då Spray Date! På Spray Date finns det 500 000 glada singlar som bara längtar efter att träffa någon alldeles speciell. http://spraydate.spray.se/
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux