problem marking 3_tier client packets with iptables

Joseph Mack mack.joseph at
Wed May 22 11:45:35 BST 2002

Julian ecrit:

> Don't forget the ICMP traffic related to the allowed TCP connections, 
> you have to pass it too (in FORWARD).

oooh, OK. Thanks

Roberto Nibali wrote:

> Correct me if I'm wrong but do you mean a request through the director
> onto the RS initiates a connection from the RS back to the Internet to a
> squid server who then replies to the RS which in turn replies with the
> final response packet to the DGW?

client makes http request to the director, which passes it to the realserver
which is actually a squid. The squid will make connections from RIP to httpds out
on the internet.
> If my statement above is ok, why would you ever want to set up such a
> strange thing?

that's the way squids work?
As well other clients (eg DNS) on the realservers may need connection
to the internet. I want to have a line in the configure file
which lists the IP:port pairs (eg 0/0:80, x.x.x.x:53)
that clients on the realservers are allowed to connect to.

> Why don't you set the policy for the chains to DROP and simply accept
> the packets you need?

functionally that's what I want to do. Maybe I'm not doing it the 
usual way. What I'm now doing is

-A OUTPUT -t mangle mark packet to some IP:port
-A OUTPUT -t mangle mark packet to another IP:port
-A OUTPUT if packet is marked -j RETURN
> Why do you need an extra chain? Isn't it enough to simply mark the
> packets or do you have multiple different destinations?

I figured a way not to have an extra chain, but for my first attempt,
I thought I'd send all the packets I wanted to mark to another chain
and mark everything that arrived in the other chain. This way I could 
put the rules into the OUTPUT chain without other changes to the OUTPUT 
chain and I could have the -j DROP in the other chain. 
> > #here packets to 0/0:23 and 0/0:80 are sent to a new chain
> > iptables -A OUTPUT -p tcp -s ${RIP}/32 -d 0/0 --dport telnet -j 3_tier
> > iptables -A OUTPUT -p tcp -s ${RIP}/32 -d 0/0 --dport http -j 3_tier
> What about packets that come back? I'm really confused. Don't you need a
> --state RELATED,ESTABLISHED or at least an INPUT chain rule? Or is your
> packetfilter (RS in this case) completely open?

For testing, INPUT is open. I don't know how to do RELATED, ESTABLISHED.
If I can't figure it out from the docs, I'll be posting again ;-)


Joseph Mack PhD, Senior Systems Engineer, Lockheed Martin
contractor to the National Environmental Supercomputer Center, 
mailto:mack.joseph at ph# 919-541-0007, RTP, NC, USA

More information about the lvs-users mailing list