[lvs-users] Blocking LVS probles with iptables

Michael Schwartzkopff ms at sys4.de
Mon Nov 20 14:55:14 GMT 2017


Am 20.11.2017 um 15:38 schrieb Hallvard Breien Furuseth:
> I want a realserver to temporarily tell the load balancer to not
> send new connections, but to keep old connections.  This seems to
> work, is it OK?

Why you just set its weight to zero?

>    LB_dip=111.22.33.44/31  # Load balancer - director
>    iptables -A INPUT -i eth0 -s $LB_dip -p tcp --syn -j REJECT \
>                      -m time --datestop 2017-11-20T18:30
>
> Tunneling/Direct routing.  LVS probes just connect and disconnect.
>
> I don't remember why the --syn is there, maybe we should drop it
> for simplicity.  The --datestop is because we'll forget to unblock
> probes someday, and then we'd wonder why the server doesn't work.
>
> Should make an IPv6 version too.
>
>
>
> Full "minimal" iptables, interested in nothing but load balancing:
>
> LB_dip=111.22.33.44/31  # Load balancer - director
> LB_vip=111.22.33.55     # Load balancer - virtual IP address
>
> # Handle most of the traffic early. Not needed in with these minimal rules.
> -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
>
> # Let through tunnel traffic from load balancer
> -A INPUT -i eth0 -s $LB_dip -p 4 -j ACCEPT
> -A INPUT -i tunl0 -j ACCEPT
>
> # LB_hook is usually empty
> -N LB_hook
> -A INPUT -j LB_hook
> # Temporarily blocking new connections from load balancer.
> -A LB_hook -i eth0 -s $LB_dip -p tcp --syn -j REJECT \
>                      -m time --datestop 2017-11-20T18:30
>
> # Reject ipip tunnel traffic from elsewhere than $LB_dip
> -A INPUT -p 4 -j DROP
>
> # Keep packets small enough to fit in a tunneled packet
> -A OUTPUT -s $LB_vip -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN,ACK -j 
> TCPMSS --set-mss 1440
>
> _______________________________________________
> Please read the documentation before posting - it's available at:
> http://www.linuxvirtualserver.org/
>
> LinuxVirtualServer.org mailing list - lvs-users at LinuxVirtualServer.org
> Send requests to lvs-users-request at LinuxVirtualServer.org
> or go to http://lists.graemef.net/mailman/listinfo/lvs-users


Mit freundlichen Grüßen,

-- 

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 230 bytes
Desc: OpenPGP digital signature
Url : http://lists.graemef.net/pipermail/lvs-users/attachments/20171120/3508b74b/attachment.bin 


More information about the lvs-users mailing list