Jan Engelhardt skrev:
I am running iptables and lvs on two boxes loadbalancing http[s] and ssh
traffic to two real servers.
Everything is working just fine from the users point of view. However,
I keep seeing a lot of dropped packets of type ack/fin and ack/rst in
my iptables log. Seems like the connection tracking isn't working the
way I expect it to. The iptables config in short is:
RST-ACK is received as a response to SYN to a closed port, and hence, is
not part of a connection.
#This is the rule that should allow established connections, right?
$IPTABLES -A Firewall-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Jan 24 16:46:11 10.0.1.107 kernel: drop: IN=eth0 OUT=
MAC=00:15:c5:ee:48:a7:00:04:de:18:18:00:08:00 SRC=<CLIENTIP>
DST=<$VIP1_e> LEN=52 TOS=0x00 PREC=0x00 TTL=49 ID=28407 PROTO=TCP
SPT=48404 DPT=443 WINDOW=65535 RES=0x00 ACK FIN URGP=0
The FIN-ACK case however looks worth looking into. I'd say do it without
-m limit and see if _every_ connection ends up that way. Also use
tcpdump to match sessions.
-`J'
Yes, the FIN-ACKs are the ones that bother me. There are lots of them,
but I don't know if they occur for every single tcp session.
I'm going to do some tcpdumping tomorrow on different interfaces to see
if I can find a pattern.
//Patrik
|