I'm trying to use LVS in a NAT setup. the realserver at 192.168.1.3 Http is the service. A connection comes in to the LVS server, but when iptables is running it hangs in a SYN_RECV state, not completing the three-way handshake.
This is being caused by iptables; when I turn it off the connection is established to the realserver. I've got IP FORWARD turned on, but I'm not quite sure about the correct recipe for iptables port forwarding here, and don't see an obvious answer in the how-to. Would someone care to enlighten me? /etc/sysconfig/iptables on LVS: # Generated by iptables-save v1.3.5 on Mon Apr 13 12:02:08 2009 *nat :PREROUTING ACCEPT [58:9989] :POSTROUTING ACCEPT [6:432] :OUTPUT ACCEPT [6:432] -A POSTROUTING -o eth0 -j MASQUERADE COMMIT # Completed on Mon Apr 13 12:02:08 2009 # Generated by iptables-save v1.3.5 on Mon Apr 13 12:02:08 2009 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [374659:29767933] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p esp -j ACCEPT -A RH-Firewall-1-INPUT -p ah -j ACCEPT -A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 539 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 - j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 - j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 443 - j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 3636 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT _______________________________________________ Please read the documentation before posting - it's available at: http://www.linuxvirtualserver.org/ LinuxVirtualServer.org mailing list - [email protected] Send requests to [email protected] or go to http://lists.graemef.net/mailman/listinfo/lvs-users
