NetFilter
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Dropped fin acks (iptables + lvs)

from [ Patrik Karén] [Permanent Link][Original]
To: netfilter@lists.netfilter.org
Subject: Dropped fin acks (iptables + lvs)
From: " Patrik Karén" <patrik.karen@home.se>
Date: Wed, 24 Jan 2007 16:05:10 +0000
Delivered-to: sp-com-lists@consult.net
Delivered-to: netfilter-list1@securepoint.com
List-archive: </pipermail/netfilter>
List-help: <mailto:netfilter-request@lists.netfilter.org?subject=help>
List-id: General discussion and user questions <netfilter.lists.netfilter.org>
List-post: <mailto:netfilter@lists.netfilter.org>
List-subscribe: <https://lists.netfilter.org/mailman/listinfo/netfilter>, <mailto:netfilter-request@lists.netfilter.org?subject=subscribe>
List-unsubscribe: <https://lists.netfilter.org/mailman/listinfo/netfilter>, <mailto:netfilter-request@lists.netfilter.org?subject=unsubscribe>
Sender: netfilter-bounces@lists.netfilter.org 
Hi!

I am running iptables and lvs on two boxes loadbalancing http[s] and ssh 
traffic to two real servers.
Everything is working just fine from the users point of view. However, I keep 
seeing a lot of dropped packets of type ack/fin and ack/rst in my iptables log. 
Seems like the connection tracking isn't working the way I expect it to. The 
iptables config in short is:

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP
$IPTABLES -N Firewall-INPUT
$IPTABLES -A INPUT -j Firewall-INPUT
$IPTABLES -A FORWARD -j Firewall-INPUT
#This is the rule that should allow established connections, right?
$IPTABLES -A Firewall-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#The next rule allows everything from the inside. Since the above rule doesn't 
seem to work
#all replies from the webservers to the clients will be dropped if this rule is 
not in place.
$IPTABLES -A Firewall-INPUT -i eth1 -j ACCEPT
$IPTABLES -A Firewall-INPUT -d $VIP1_e -p tcp -m state --state NEW -m tcp 
--dport 80 -j ACCEPT
$IPTABLES -A Firewall-INPUT -d $VIP1_e -p tcp -m state --state NEW -m tcp 
--dport 443 -j ACCEPT
$IPTABLES -A Firewall-INPUT -m limit --limit $LOGLIMIT --limit-burst 
$LOGLIMITBURST -j LOG --log-level debug --log-prefix "drop: "
$IPTABLES -A Firewall-INPUT -j DROP

And in the log I get lots this for each user session: 
Jan 24 16:46:11 10.0.1.107 kernel: drop: IN=eth0 OUT= 
MAC=00:15:c5:ee:48:a7:00:04:de:18:18:00:08:00 SRC=<CLIENTIP> DST=<$VIP1_e> 
LEN=52 TOS=0x00 PREC=0x00 TTL=49 ID=28407 PROTO=TCP SPT=48404 DPT=443 
WINDOW=65535 RES=0x00 ACK FIN URGP=0

Why? Is there something about the connection tracking I'm not understanding?
If I do a 'cat /proc/net/ip_conntrack' on the director/fw, shouldn't I see 
connections between my external VIP and the clients IP? All I see there are 
connections between the director/fw and my webservers.

Any help is would be much appreciated.

Regards,
Patrik

Om du är singel och vill träffa någon, besök då Spray Date! På Spray Date finns 
det 500 000 glada singlar som bara längtar efter att träffa någon alldeles 
speciell. http://spraydate.spray.se/
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  iptables time module on postRouting chain, Sébastien CRAMATTE
Next by Date:  Re: Dropped fin acks (iptables + lvs), Jan Engelhardt
Previous by Thread:  iptables time module on postRouting chain, Sébastien CRAMATTE
Next by Thread:  Re: Dropped fin acks (iptables + lvs), Jan Engelhardt
Indexes:  [Date] [Thread] [Top] [All Lists]