> -----Original Message----- > From: lvs-users-boun...@linuxvirtualserver.org > [mailto:lvs-users-boun...@linuxvirtualserver.org] On Behalf > Of Timo Schöler > Sent: Wednesday, July 30, 2014 6:51 PM > To: lvs-users@linuxvirtualserver.org > Subject: Re: [lvs-users] TCP Connection Sync Problems RHEL > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > On 07/30/2014 04:35 PM, Lloyd Brown wrote: > > > > On 07/30/2014 01:44 AM, Frank Kirschner wrote: > >> Lloyd, > >> > >> hmm, it's senseless doubled but please can you try out > what happens > >> if you add on 1st line: > >> > >> # /sbin/iptables -I INPUT -m state --state > NEW,RELATED,ESTABLISHED -j > >> ACCEPT # /sbin/service iptables save > > > > > > Frank, > > > > I can try it, but I'm not sure what you're expecting to > see. I have a > > working setup, so without understanding what you're expecting to > > happen, I'm not sure what to look for. > > > > And there is already this one in the stock setup: > > > >> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > > > While it's not exactly the same, the only difference would be the > > "NEW" flag. I'm not sure what benefit that would be, other than > > accepting all new connections (if I'm understanding the flag > > correctly). While this would probably work for at least > some of the > > stuff I'm doing, it seems excessively open. I could also flush all > > the tables (iptables -F), and get it working, but it doesn't mean I > > want to leave my server quite so open and unprotected. > > > > > > > >> > >> Do you have any OUTPUT rules in your iptables set? > > > > Nope. I've checked all 4 tables (raw, mangle, nat, filter) > that I can > > find that have an OUTPUT chain, and there doesn't seem to > be anything > > in any of them. I certainly hadn't done it on purpose, and > it doesn't > > seem to be a part of the stock RHEL setup. > > > > > >> After disabeling SeLINUX do you have reboot the system? > > > > Yes. You do need to reboot to disable SELinux. And I did. And it > > didn't have any effect, as far as I could tell. > > Hi, that is not entirely true. One can disable SELinux at > runtime for quite a while now: > > https://access.redhat.com/documentation/en-US/Red_Hat_Enterpri > se_Linux/5/html/Deployment_Guide/sec-sel-enable-disable-enforc > ement.html > > >> hope that helps, best regards Frank > > Best,
Sorry, have not seen the ESTABLISHED,RELATED line in front of your fw table set. I want to go safe to have all states (also additional NEW) in this rules. best regards Frank _______________________________________________ Please read the documentation before posting - it's available at: http://www.linuxvirtualserver.org/ LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org Send requests to lvs-users-requ...@linuxvirtualserver.org or go to http://lists.graemef.net/mailman/listinfo/lvs-users