To clarify, this is the firewall on the apache machines, not the
loadbalancer. The LB firewall works just fine.
____________________
John Stockdale
System Engineer
jstockdale@xxxxxxxxxxxxx
On Jul 10, 2008, at 12:36 PM, John Stockdale wrote:
Hi everyone,
I'm running a LVS loadbalancer in front of several apache instances,
using ip tunneling to forward the packets. When the firewall is down
(--flush) everything works beautifully. When I bring iptables back
up, everything dies.
I've managed to trace the issue to the point where I can watch (with
tcpdump) the proto: IPIP packets ingress on eth0, but never show up
decapsulated on tunl0 (or anywhere else).
Any help would be greatly appreciated.
The relevant iptables rules, and ifconfig output follows.
XXX.XXX.XXX.17 is the primary loadbalancer, XXX.XXX.XXX.18 is the
secondary, and XXX.XXX.XXX.42 is the service address (bound to tunl0).
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [11714046:38544927249]
:Firewall - [0:0]
-A INPUT -j Firewall
# Global allow established traffic
-A Firewall -m state --state ESTABLISHED,RELATED -j ACCEPT
# Global SSH @ Port 22
-A Firewall -p tcp -m tcp --dport 22 -j ACCEPT
# DNS Responses
-A Firewall -p udp -s XXX.XXX.XXX.XXX/32 --source-port 53 -d 0/0 --
destination-port 1024:65535 -j ACCEPT
-A Firewall -p udp -s XXX.XXX.XXX.XXX/32 --source-port 53 -d 0/0 --
destination-port 1024:65535 -j ACCEPT
# Global WWW
-A Firewall -p tcp -m tcp --dport 80 -j ACCEPT
# time.nist.gov ntpd access
-A Firewall -p udp -s 192.43.244.18/32 --source-port 123 --
destination-port 123 -j ACCEPT
# Office ping
-A Firewall -s XXX.XXX.XXX.XXX/29 -p icmp --icmp-type 8 -j ACCEPT
# Local ping
-A Firewall -s XXX.XXX.XXX.XXX/25 -p icmp --icmp-type 8 -j ACCEPT
# Global allow ip tunnels from loadbalancers
-A Firewall -s XXX.XXX.23.17 -p ipip -j ACCEPT
-A Firewall -s XXX.XXX.23.18 -p ipip -j ACCEPT
-A Firewall -d XXX.XXX.23.42 -p all -j ACCEPT
# Allow local interface traffic on lo and tunl0
-A Firewall -i lo -s 127.0.0.1 -p all -j ACCEPT
-A Firewall -i tunl0 -p all -j ACCEPT
# Global reject
-A Firewall -j DROP
COMMIT
eth0 Link encap:Ethernet HWaddr XX:XX:XX:XX:XX:XX
inet addr:XXX.XXX.XXX.7 Bcast:XXX.XXX.XXX.127 Mask:
255.255.255.128
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:479975 errors:0 dropped:0 overruns:0 frame:0
TX packets:286084 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:157547624 (150.2 MiB) TX bytes:32662562 (31.1 MiB)
Interrupt:169 Memory:f8000000-f8012100
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:444 errors:0 dropped:0 overruns:0 frame:0
TX packets:444 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:58036 (56.6 KiB) TX bytes:58036 (56.6 KiB)
tunl0 Link encap:IPIP Tunnel HWaddr
inet addr:XXX.XXX.XXX.42 Mask:255.255.255.255
UP RUNNING NOARP MTU:1480 Metric:1
RX packets:2659 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:305154 (298.0 KiB) TX bytes:0 (0.0 b) <- Note:
the RX bytes only increase when the firewall is down.
____________________
John Stockdale
System Engineer
jstockdale@xxxxxxxxxxxxx
--
To unsubscribe from this list: send the line "unsubscribe netfilter"
in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
