Hi w y wrote: > But now, I am wondering if my way of firewalling is the good one : > by default, everything is forbidden . And after, I open explicitly > the ports I want to open ...
Yes, you can do that, you just have to keep in mind how packets move in IPVS. On the incoming path the packets come to INPUT and leave through OUTPUT. On the outgoing path - for DR and TUN there usually isn't one. However, in case of NAT, the packets go through FORWARD and are a bit difficult to match because their source address is still the RS source address and there is no conntrack (there is an iptables patch that allows matching against ipvs connection table). So you need to ACCEPT the VSIP:port in INPUT and make soure OUTPUT does not block it. And if you use NAT, you must also ACCEPT the response packets in FORWARD. You can use -j LOG in the end of each DROP chain to debug a default-drop firewall. Siim _______________________________________________ Please read the documentation before posting - it's available at: http://www.linuxvirtualserver.org/ LinuxVirtualServer.org mailing list - [email protected] Send requests to [email protected] or go to http://lists.graemef.net/mailman/listinfo/lvs-users
