From: " Patrik Karén" <patrik.karen@home.se>
To: netfilter@lists.netfilter.org
Subject: Dropped fin acks (iptables + lvs)
Date: Wed, 24 Jan 2007 16:05:10 +0000 [thread overview]
Message-ID: <163461433411784@lycos-europe.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 2143 bytes --]
Hi!
I am running iptables and lvs on two boxes loadbalancing http[s] and ssh traffic to two real servers.
Everything is working just fine from the users point of view. However, I keep seeing a lot of dropped packets of type ack/fin and ack/rst in my iptables log. Seems like the connection tracking isn't working the way I expect it to. The iptables config in short is:
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP
$IPTABLES -N Firewall-INPUT
$IPTABLES -A INPUT -j Firewall-INPUT
$IPTABLES -A FORWARD -j Firewall-INPUT
#This is the rule that should allow established connections, right?
$IPTABLES -A Firewall-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#The next rule allows everything from the inside. Since the above rule doesn't seem to work
#all replies from the webservers to the clients will be dropped if this rule is not in place.
$IPTABLES -A Firewall-INPUT -i eth1 -j ACCEPT
$IPTABLES -A Firewall-INPUT -d $VIP1_e -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
$IPTABLES -A Firewall-INPUT -d $VIP1_e -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
$IPTABLES -A Firewall-INPUT -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level debug --log-prefix "drop: "
$IPTABLES -A Firewall-INPUT -j DROP
And in the log I get lots this for each user session:
Jan 24 16:46:11 10.0.1.107 kernel: drop: IN=eth0 OUT= MAC=00:15:c5:ee:48:a7:00:04:de:18:18:00:08:00 SRC=<CLIENTIP> DST=<$VIP1_e> LEN=52 TOS=0x00 PREC=0x00 TTL=49 ID=28407 PROTO=TCP SPT=48404 DPT=443 WINDOW=65535 RES=0x00 ACK FIN URGP=0
Why? Is there something about the connection tracking I'm not understanding?
If I do a 'cat /proc/net/ip_conntrack' on the director/fw, shouldn't I see connections between my external VIP and the clients IP? All I see there are connections between the director/fw and my webservers.
Any help is would be much appreciated.
Regards,
Patrik
Om du är singel och vill träffa någon, besök då Spray Date! På Spray Date finns det 500 000 glada singlar som bara längtar efter att träffa någon alldeles speciell. http://spraydate.spray.se/
next reply other threads:[~2007-01-24 16:05 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-01-24 16:05 Patrik Karén [this message]
2007-01-24 22:17 ` Dropped fin acks (iptables + lvs) Jan Engelhardt
2007-01-25 21:30 ` Patrik Karén
2007-01-27 16:19 ` Pascal Hambourg
-- strict thread matches above, loose matches on Subject: below --
2007-03-14 13:57 Klaas Jan Wierenga
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=163461433411784@lycos-europe.com \
--to=patrik.karen@home.se \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.