Re: Dropped fin acks (iptables + lvs)

[Jan Engelhardt <jengelh@linux01.gwdg.de>]

>I am running iptables and lvs on two boxes loadbalancing http[s] and ssh 
>traffic to two real servers.
>Everything is working just fine from the users point of view. However, 
>I keep seeing a lot of dropped packets of type ack/fin and ack/rst in 
>my iptables log. Seems like the connection tracking isn't working the 
>way I expect it to. The iptables config in short is:

RST-ACK is received as a response to SYN to a closed port, and hence, is 
not part of a connection.

>#This is the rule that should allow established connections, right?
>$IPTABLES -A Firewall-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

>Jan 24 16:46:11 10.0.1.107 kernel: drop: IN=eth0 OUT= 
>MAC=00:15:c5:ee:48:a7:00:04:de:18:18:00:08:00 SRC=<CLIENTIP> 
>DST=<$VIP1_e> LEN=52 TOS=0x00 PREC=0x00 TTL=49 ID=28407 PROTO=TCP 
>SPT=48404 DPT=443 WINDOW=65535 RES=0x00 ACK FIN URGP=0

The FIN-ACK case however looks worth looking into. I'd say do it without 
-m limit and see if _every_ connection ends up that way. Also use 
tcpdump to match sessions.


        -`J'
--