problem marking 3_tier client packets with iptables

Roberto Nibali ratz at drugphish.ch
Tue May 21 22:23:40 BST 2002


Hello Joe,

As you already seem to have a right answer I was actually more wondering 
about the usage of such a setup.

Joseph Mack wrote:
> Sometimes LVS-DR realservers have clients which need
> to connect to hosts on the internet, eg a squid realserver
> needs to connect from RIP (not VIP) to 0/0:80.

Correct me if I'm wrong but do you mean a request through the director 
onto the RS initiates a connection from the RS back to the Internet to a 
squid server who then replies to the RS which in turn replies with the 
final response packet to the DGW?

To help you further with my strange logic: I'm horribly confused by 
following wording "... realservers have clients which need to connect to 
hosts on the internet ...". Could you please explain this to me so I 
don't come up with a statement like above ;).

If my statement above is ok, why would you ever want to set up such a 
strange thing?

> In my configure script, currently
> I block all connections from RIP to 0/0.
> I now want to let out all packets to 0/0:80 
> say but to DROP or REJECT other packets from RIP to 0/0:!80. 

Why don't you set the policy for the chains to DROP and simply accept 
the packets you need?

> o mark packets from RIP to multiple services on the internet
> o DROP or REJECT the rest of the packets to 0/0
> 
> What I tried to do was to set up another chain (3_tier) and send all
> allowed packets to it, to DROP the rest and mark all packets that
> get to the 3_tier chain.

Why do you need an extra chain? Isn't it enough to simply mark the 
packets or do you have multiple different destinations?

> #here packets to 0/0:23 and 0/0:80 are sent to a new chain
> iptables -A OUTPUT -p tcp -s ${RIP}/32 -d 0/0 --dport telnet -j 3_tier
> iptables -A OUTPUT -p tcp -s ${RIP}/32 -d 0/0 --dport http -j 3_tier

What about packets that come back? I'm really confused. Don't you need a 
--state RELATED,ESTABLISHED or at least an INPUT chain rule? Or is your 
packetfilter (RS in this case) completely open?

Cheers,
Roberto Nibali, ratz
-- 
echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq'|dc





More information about the lvs-users mailing list