Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Linux Virtual Server: Users

[lvs-users] LVS Setup

  

 
Linux Virtual Server users RSS feed   Index | Next | Previous | View Threaded


mcgredo at nps

Apr 23, 2009, 5:28 PM

Post #1 of 3 (660 views)
Permalink
[lvs-users] LVS Setup
I'm trying to use LVS in a NAT setup. the realserver at 192.168.1.3
Http is the service. A connection comes in to the LVS server, but when
iptables
is running it hangs in a SYN_RECV state, not completing the three-way
handshake.

This is being caused by iptables; when I turn it off the connection is
established
to the realserver.

I've got IP FORWARD turned on, but I'm not quite sure about the
correct recipe for iptables
port forwarding here, and don't see an obvious answer in the how-to.

Would someone care to enlighten me?

/etc/sysconfig/iptables on LVS:


# Generated by iptables-save v1.3.5 on Mon Apr 13 12:02:08 2009
*nat
:PREROUTING ACCEPT [58:9989]
:POSTROUTING ACCEPT [6:432]
:OUTPUT ACCEPT [6:432]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Mon Apr 13 12:02:08 2009
# Generated by iptables-save v1.3.5 on Mon Apr 13 12:02:08 2009
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [374659:29767933]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j
ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 539 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -
j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -
j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -
j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 3306
-j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 3636
-j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT




_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users [at] LinuxVirtualServer
Send requests to lvs-users-request [at] LinuxVirtualServer
or go to http://lists.graemef.net/mailman/listinfo/lvs-users


jmack at wm7d

Apr 23, 2009, 5:34 PM

Post #2 of 3 (622 views)
Permalink
Re: [lvs-users] LVS Setup [In reply to]
On Thu, 23 Apr 2009, Don McGregor wrote:

> This is being caused by iptables; when I turn it off the connection is
> established
> to the realserver.

you could ask the computer. Add the rules one at a time and
see which one kills the connection.

Joe

--
Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) wm7d (dot) net - azimuthal equidistant map
generator at http://www.wm7d.net/azproj.shtml
Homepage http://www.austintek.com/ It's GNU/Linux!

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users [at] LinuxVirtualServer
Send requests to lvs-users-request [at] LinuxVirtualServer
or go to http://lists.graemef.net/mailman/listinfo/lvs-users


graeme at graemef

Apr 24, 2009, 1:02 AM

Post #3 of 3 (613 views)
Permalink
Re: [lvs-users] LVS Setup [In reply to]
On Thu, 2009-04-23 at 17:28 -0700, Don McGregor wrote:
> I'm trying to use LVS in a NAT setup. the realserver at 192.168.1.3
> Http is the service. A connection comes in to the LVS server, but when
> iptables
> is running it hangs in a SYN_RECV state, not completing the three-way
> handshake.

Add a rule somewhere which permits all traffic (or that with src port ==
80, proto == tcp) from 192.168.1.3.

Graeme


_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users [at] LinuxVirtualServer
Send requests to lvs-users-request [at] LinuxVirtualServer
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

Linux Virtual Server users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.