ldirectord appears to cause iptable traversal issue

Brian Jenkins bjenkins at monex.com
Tue Oct 24 01:57:45 BST 2006 

Hi all:

I'm running lvs on my firewall and everything works well.  However, when 
I run ldirectord a strange thing happens when packets traverse my 
script's INPUT chain.  When a packet hits a rule on the INPUT chain that 
attempts to match on destination address, firewall mark, or certain 
other fields, the packet does not get accepted, when it should, and, 
instead skips to the end of the chain and gets acted on in a manner 
consistent with the default policy.  I can't for the life of me figure 
out what ldirectord is doing to the packet to cause this behavior.  My 
system is as follows:

OS:
SuSE 10.1

Firewall Script (relevant parts):
iptables -A INPUT -p tcp -d $EXT_WEB_SITE_IP -j LOG --log-level $LG_LVL 
--log-prefix "INPUT packet 1 "
iptables -A INPUT -p tcp -d $EXT_WEB_SITE_IP -j ACCEPT
iptables -A INPUT -p tcp -d $EXT_WEB_SITE_IP -j LOG --log-level $LG_LVL 
--log-prefix "INPUT packet 2 "

iptables -A OUTPUT -p tcp -d $INT_WEB_SITE_IP -j LOG --log-level $LG_LVL 
--log-prefix "OUTPUT packet 1 "
iptables -A OUTPUT -o $INT_IF -p tcp -j ACCEPT

iptables -A FORWARD -o $EXT_IF -j ACCEPT

iptables -t mangle -A PREROUTING -d $EXT_WEB_SITE_IP -j MARK --set-mark 1

iptables -t nat -A POSTROUTING -s $INT_NET -j MASQUERADE

firewall2:/etc/rc.d # iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
LOG        tcp  --  anywhere             firewall2 LOG level notice 
prefix `INPUT packet 1 '
ACCEPT     tcp  --  anywhere             firewall2
LOG        tcp  --  anywhere             firewall2 LOG level notice 
prefix `INPUT packet 2 '

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy DROP)
target     prot opt source               destination
LOG        tcp  --  anywhere             X.X.X.189        LOG level 
notice prefix `OUTPUT packet 1 '
ACCEPT     tcp  --  anywhere             anywhere

firewall2:/etc/rc.d # ipvsadm -L -n
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
  -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
FWM  1 rr
  -> X.X.X.190:80              Masq    0      0          0
  -> X.X.X.189:80              Masq    0      1          0

Again, if I update the LVS table by using IPLVSADM within the firewall 
script, instead of ldirectord, everything works fine.

Many thanks for any help that you can give.

Brian

Search lvs-users Archives
Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
More information about the lvs-users mailing list