On Mon, 29 Nov 2010, devin wrote:
However sometimes we have clients who send us crazy amounts of traffic
:-(
and we end up having to block the traffic at the load balancer/keepalived server using IPTABLES. We basically configure IPTABLES to send a TCP RESET packet back to the user's browser so that the browser will give up trying to connect to our cluster.
This is the command we run on Linux to do the block.
/sbin/iptables -A INPUT -p tcp -m tcp --dport 80 -m string --string "sid=3225" --algo bm --to 65535 -j REJECT --reject-with tcp-reset
So I know sometimes this messes with the ActiveConn count, and I am not sure if this is affecting LVS in any way as we have to sometimes block a user for an entire day. So the problem I notice with this is that the ???Activeconn??? count just keeps building up as we are rejecting the traffic for a while but does seem to cap off at 32,000 connections per server right now.
You should be able to block these packets before ipvs() sees them. What if you use PREROUTING as the chain?
Look at the diagram here http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-HOWTO.filter_rules.html#path_of_an_ip_vs_packetThere's no INPUT in this diagram. However this (cough) simplified diagram has INPUT
http://www.mikrotik.com/testdocs/ros/2.9/ip/flow.php here's a better diagram http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables Joe -- Joseph Mack NA3T EME(B,D), FM05lw North Carolina jmack (at) wm7d (dot) net - azimuthal equidistant map generator at http://www.wm7d.net/azproj.shtml Homepage http://www.austintek.com/ It's GNU/Linux!
_______________________________________________ Please read the documentation before posting - it's available at: http://www.linuxvirtualserver.org/ LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org Send requests to lvs-users-requ...@linuxvirtualserver.org or go to http://lists.graemef.net/mailman/listinfo/lvs-users
