I've got two geographically different clusters of servers hosting the same sites in various server pairs. There is a primary site and a secondary site sharing the same subnets via BGP failover. Additionally each site has their own subnet which is not shared for the real server IPs. The LVS directors both sit behind the router on the primary site, and route traffic to other servers behind that router via LVS-DR, or to the real servers at the secondary site via LVS-TUN.
While testing a restricted access by IP site in the last couple of days I came to realize that the LVS-TUN servers are not actually abiding by the iptables rules setup for them. At first I thought it was due to the traffic coming in via IPv6>IPv4 tunnels but after adding a bunch of ip6tables rules, the problem has not resolved. The firewall rules for iptables are setup for the real servers on eth0 for both the LVS-DR server and the LVS-TUN server. On the LVS-DR server the non-arp'd IPs are setup as aliases on the loopback (lo0) device. On the LVS-TUN servers the IPs are aliases on the tunl0 device. The tunl0 I originally gave an IP of 192.168.10.5 as it served no purpose by itself other than to exist but I've since re-started the device with the same IP as eth0 but this has had no effect either. This only affects the tunnelled traffic. If I block everything except traffic to the server from the director I still get traffic through to the remote server. eg. iptables -I INPUT -s ! lvsdirector -d ! lvscheckhost -p tcp --dport 80 -i eth0 -j REJECT So how to I make the server at the end of the tunnel filter via iptables the traffic redirected from the LVS directors? Is a second set of rules required for the tunl0 interface and it's aliases? ___________________________________________________ Dan Brown [EMAIL PROTECTED] _______________________________________________ Please read the documentation before posting - it's available at: http://www.linuxvirtualserver.org/ LinuxVirtualServer.org mailing list - [email protected] Send requests to [EMAIL PROTECTED] or go to http://lists.graemef.net/mailman/listinfo/lvs-users
