[lvs-users] Blocking LVS probles with iptables

Hallvard Breien Furuseth h.b.furuseth at usit.uio.no
Mon Nov 20 14:38:59 GMT 2017

I want a realserver to temporarily tell the load balancer to not
send new connections, but to keep old connections.  This seems to
work, is it OK?

   LB_dip=  # Load balancer - director
   iptables -A INPUT -i eth0 -s $LB_dip -p tcp --syn -j REJECT \
                     -m time --datestop 2017-11-20T18:30

Tunneling/Direct routing.  LVS probes just connect and disconnect.

I don't remember why the --syn is there, maybe we should drop it
for simplicity.  The --datestop is because we'll forget to unblock
probes someday, and then we'd wonder why the server doesn't work.

Should make an IPv6 version too.

Full "minimal" iptables, interested in nothing but load balancing:

LB_dip=  # Load balancer - director
LB_vip=     # Load balancer - virtual IP address

# Handle most of the traffic early. Not needed in with these minimal rules.
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# Let through tunnel traffic from load balancer
-A INPUT -i eth0 -s $LB_dip -p 4 -j ACCEPT
-A INPUT -i tunl0 -j ACCEPT

# LB_hook is usually empty
-N LB_hook
-A INPUT -j LB_hook
# Temporarily blocking new connections from load balancer.
-A LB_hook -i eth0 -s $LB_dip -p tcp --syn -j REJECT \
                     -m time --datestop 2017-11-20T18:30

# Reject ipip tunnel traffic from elsewhere than $LB_dip
-A INPUT -p 4 -j DROP

# Keep packets small enough to fit in a tunneled packet
-A OUTPUT -s $LB_vip -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN,ACK -j 
TCPMSS --set-mss 1440

More information about the lvs-users mailing list