Graeme Fowler said the following on 08/13/2012 02:11 PM: [CUT] > You're using LVS-NAT. The only place the VIP is present in the usual > usage of this is in the external (client-facing) interface of the > director. Ok. thank you for clarifying. So the external Ip would be in the OUTPUT chain, and I could filter more specificly there (unless I get state working - which would be preferable :)
>> Also - for some reason there's no state - so I had to allow ALL packages >> with source-port of 80 or 443 in the FORWARD chain. > ipvs works in tandem with netfilter (is part of it nowadays, > effectively), so state is recorded in the usual way in the conntrack > tables. If yours isn't, then you may be using an old enough kernel that > this doesn't happen or you don't have the appropriate netfilter modules > loaded. It's CentOS 6 - 2.6.32-220.el6.x86_64 Is that too old? These modules are loaded: nf_conntrack_ipv4 9506 4 nf_defrag_ipv4 1483 1 nf_conntrack_ipv4 nf_conntrack_ipv6 8748 2 nf_defrag_ipv6 12182 1 nf_conntrack_ipv6 nf_conntrack 79453 3 nf_conntrack_ipv4,nf_conntrack_ipv6,xt_state ipv6 322029 38 ip_vs,ip6t_REJECT,nf_conntrack_ipv6,nf_defrag_ipv6 Thank you for your help. -- Regards, Klavs Klavsen, GSEC - [email protected] - http://www.vsen.dk - Tlf. 61281200 "Those who do not understand Unix are condemned to reinvent it, poorly." --Henry Spencer _______________________________________________ Please read the documentation before posting - it's available at: http://www.linuxvirtualserver.org/ LinuxVirtualServer.org mailing list - [email protected] Send requests to [email protected] or go to http://lists.graemef.net/mailman/listinfo/lvs-users
