Mailing List Archive

[lvs-users] TCP Connection Sync Problems RHEL
Hi, all.

I'm currently testing a RHEL 6.5 based LVS Director setup for load
balancing SSH connections. I've used Debian directors for a number of
years, and they've worked great, but for some reason, the RHEL directors
aren't acting the way I'm expecting.

Basically I'm seeing two things:
- The backup director doesn't seem to be getting the client connection
info synchronized
- The connection info (eg. the output of "ipvsadm -L -c") doesn't show
the connection closing. Instead it stays in "ESTABLISHED" state until
it times out.

I'm not really sure how to troubleshoot the second issue. So for now,
I'm focusing on the first, the one about the connection sync problem. I
did capture the packets between the two directors, using tcpdump, and
when I open the capture file in wireshark, I see "Connection Count: 0".
When I do a similar capture on my working Debian directors, I see
non-zero connection count, and the details of the specific connections,
in the wireshark analysis.

Any thoughts here? How do I go about finding the problem here? Should
I be looking at kernel code? ipvsadm code?

I'm using keepalived to manage this, so I'll include that .conf file
here, as well as example capture files from my working Debian setup, and
the non-working RHEL test setup. Note that the packet captures also
include the VRRP sync packets, but they can be ignored.

Both directors are basically stock RHEL 6.5, running kernel
2.6.32-431.17.1.el6.x86_64, keepalived-1.2.7, and ipvsadm-1.25.

If anyone can point me in the right direction on how to diagnose this,
I'd appreciate it.

Thanks,

--
Lloyd Brown
Systems Administrator
Fulton Supercomputing Lab
Brigham Young University
http://marylou.byu.edu
Re: [lvs-users] TCP Connection Sync Problems RHEL [ In reply to ]
> -----Original Message-----
> From: lvs-users-bounces@linuxvirtualserver.org
> [mailto:lvs-users-bounces@linuxvirtualserver.org] On Behalf
> Of Lloyd Brown
> Sent: Tuesday, July 29, 2014 12:58 AM
> To: lvs-users@linuxvirtualserver.org
> Subject: [lvs-users] TCP Connection Sync Problems RHEL
>
> Hi, all.
>
> I'm currently testing a RHEL 6.5 based LVS Director setup for
> load balancing SSH connections. I've used Debian directors
> for a number of years, and they've worked great, but for some
> reason, the RHEL directors aren't acting the way I'm expecting.
>
> Basically I'm seeing two things:
> - The backup director doesn't seem to be getting the client
> connection info synchronized
> - The connection info (eg. the output of "ipvsadm -L -c")
> doesn't show the connection closing. Instead it stays in
> "ESTABLISHED" state until it times out.
>
> I'm not really sure how to troubleshoot the second issue. So
> for now, I'm focusing on the first, the one about the
> connection sync problem. I did capture the packets between
> the two directors, using tcpdump, and when I open the capture
> file in wireshark, I see "Connection Count: 0".
> When I do a similar capture on my working Debian directors,
> I see non-zero connection count, and the details of the
> specific connections, in the wireshark analysis.
>
> Any thoughts here? How do I go about finding the problem
> here? Should I be looking at kernel code? ipvsadm code?
>
> I'm using keepalived to manage this, so I'll include that
> .conf file here, as well as example capture files from my
> working Debian setup, and the non-working RHEL test setup.
> Note that the packet captures also include the VRRP sync
> packets, but they can be ignored.
>
> Both directors are basically stock RHEL 6.5, running kernel
> 2.6.32-431.17.1.el6.x86_64, keepalived-1.2.7, and ipvsadm-1.25.
>
> If anyone can point me in the right direction on how to
> diagnose this, I'd appreciate it.
>
> Thanks,
>

Hi Lloyd,

do you have disables SELinux for the RHEL hosts? By the way: also set the
firewall to accept all (later if all is working you should set up a firewall
of cause)

I wich way you communicate the keepalived between the two directors? Over
Ethernet or serial cable?

best regards
Frank

mfg
Frank Kirschner

==============================
Frank Kirschner
IT Services
Celebrate Records GmbH
Am Birkenwaeldchen 2
09366 Stollberg
Germany
mail: frank@celebrate.de
web: www.celebrate.de
fon: +49 37296 9201 60
fax: +49 37296 9201 75
CEO: Carsten Haupt
USt ID: DE 812 617 147
Registered at Country Court Chemnitz
HRB ID: 16308
------------------------------
PGP-Key is available at pgp.mit.edu
------------------------------




_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
Re: [lvs-users] TCP Connection Sync Problems RHEL [ In reply to ]
Frank,

I hadn't thought about SELinux, but I'll check on that. I'm assuming
that the firewall isn't a problem, since I captured the packets on the
backup director. But I'll test both of those, and report back.

All the communication between servers (both keepalived's VRRP, and the
IPVS connection sync) is going over Ethernet. Since this is a test
environment, both directors (and the realserver) are actually VMWare
Virtual Machines.



Lloyd Brown
Systems Administrator
Fulton Supercomputing Lab
Brigham Young University
http://marylou.byu.edu

On 07/28/2014 11:26 PM, Frank Kirschner wrote:
> Hi Lloyd,
>
> do you have disables SELinux for the RHEL hosts? By the way: also set the
> firewall to accept all (later if all is working you should set up a firewall
> of cause)
>
> I wich way you communicate the keepalived between the two directors? Over
> Ethernet or serial cable?
>
> best regards
> Frank
>
> mfg
> Frank Kirschner

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
Re: [lvs-users] TCP Connection Sync Problems RHEL [ In reply to ]
Frank,

Okay. So disabling SELinux didn't seem to have any effect. But adding
iptables rules like these (from /etc/sysconfig/iptables), seemed to get
the connection information syncing between directors:

> #IPVS connection syncing for keepalived
> -A INPUT -d 224.0.0.81/32 -s 192.168.25.9/32 -j ACCEPT
> -A INPUT -d 224.0.0.81/32 -s 192.168.25.10/32 -j ACCEPT

In this state the connections are still getting stuck in the ESTABLISHED
state, instead of transitioning to FIN_WAIT. But when I flush the
iptables entirely ("iptables -F" or "service iptables stop"), they seem
to transition correctly.

In general, I don't like the idea of leaving the iptables completely
empty, so I guess I'll have to figure out what specific traffic is
getting blocked, that is causing the connections to get stuck in
ESTABLISHED. If anyone has any pointers on that one, I'd be glad to
hear it.

Thanks again for the help,

Lloyd Brown
Systems Administrator
Fulton Supercomputing Lab
Brigham Young University
http://marylou.byu.edu

On 07/29/2014 08:22 AM, Lloyd Brown wrote:
> Frank,
>
> I hadn't thought about SELinux, but I'll check on that. I'm assuming
> that the firewall isn't a problem, since I captured the packets on the
> backup director. But I'll test both of those, and report back.
>
> All the communication between servers (both keepalived's VRRP, and the
> IPVS connection sync) is going over Ethernet. Since this is a test
> environment, both directors (and the realserver) are actually VMWare
> Virtual Machines.
>
>
>
> Lloyd Brown
> Systems Administrator
> Fulton Supercomputing Lab
> Brigham Young University
> http://marylou.byu.edu
>
> On 07/28/2014 11:26 PM, Frank Kirschner wrote:
>> Hi Lloyd,
>>
>> do you have disables SELinux for the RHEL hosts? By the way: also set the
>> firewall to accept all (later if all is working you should set up a firewall
>> of cause)
>>
>> I wich way you communicate the keepalived between the two directors? Over
>> Ethernet or serial cable?
>>
>> best regards
>> Frank
>>
>> mfg
>> Frank Kirschner
>
> _______________________________________________
> Please read the documentation before posting - it's available at:
> http://www.linuxvirtualserver.org/
>
> LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
> Send requests to lvs-users-request@LinuxVirtualServer.org
> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
Re: [lvs-users] TCP Connection Sync Problems RHEL [ In reply to ]
Okay. I'm not sure this is the best approach, but adding a simple
iptables rule for each of the VIPs, to accept any traffic, seems to fix
the issue of it being stuck in ESTABLISHED.

Thanks again for pointing me in the right direction. One of these days
I'll have to remember that tcpdump sees packets before iptables, while
everything else happens after iptables rules are applied.

For anyone else looking at this thread in the archives, here's the total
list of modifications in the /etc/sysconfig/iptables, from the stock
RHEL 6.5 setup, that seem to get it working; be sure to substitute in
the correct values for DIR1IP, DIR2IP, VIP1, and VIP2:

> #VRRP multicast for keepalived
> -A INPUT -d 224.0.0.18/32 -s DIR1IP/32 -j ACCEPT
> -A INPUT -d 224.0.0.18/32 -s DIR2IP/32 -j ACCEPT
> #IPVS connection syncing for keepalived
> -A INPUT -d 224.0.0.81/32 -s DIR1IP/32 -j ACCEPT
> -A INPUT -d 224.0.0.81/32 -s DIR2IP/32 -j ACCEPT
> #All connections for virtual IPs (VIP1 and VIP2)
> -A INPUT -d VIP1/32 -j ACCEPT
> -A INPUT -d VIP2/32 -j ACCEPT



Lloyd Brown
Systems Administrator
Fulton Supercomputing Lab
Brigham Young University
http://marylou.byu.edu

On 07/29/2014 08:40 AM, Lloyd Brown wrote:
> Frank,
>
> Okay. So disabling SELinux didn't seem to have any effect. But adding
> iptables rules like these (from /etc/sysconfig/iptables), seemed to get
> the connection information syncing between directors:
>
>> #IPVS connection syncing for keepalived
>> -A INPUT -d 224.0.0.81/32 -s 192.168.25.9/32 -j ACCEPT
>> -A INPUT -d 224.0.0.81/32 -s 192.168.25.10/32 -j ACCEPT
>
> In this state the connections are still getting stuck in the ESTABLISHED
> state, instead of transitioning to FIN_WAIT. But when I flush the
> iptables entirely ("iptables -F" or "service iptables stop"), they seem
> to transition correctly.
>
> In general, I don't like the idea of leaving the iptables completely
> empty, so I guess I'll have to figure out what specific traffic is
> getting blocked, that is causing the connections to get stuck in
> ESTABLISHED. If anyone has any pointers on that one, I'd be glad to
> hear it.
>
> Thanks again for the help,
>
> Lloyd Brown
> Systems Administrator
> Fulton Supercomputing Lab
> Brigham Young University
> http://marylou.byu.edu
>
> On 07/29/2014 08:22 AM, Lloyd Brown wrote:
>> Frank,
>>
>> I hadn't thought about SELinux, but I'll check on that. I'm assuming
>> that the firewall isn't a problem, since I captured the packets on the
>> backup director. But I'll test both of those, and report back.
>>
>> All the communication between servers (both keepalived's VRRP, and the
>> IPVS connection sync) is going over Ethernet. Since this is a test
>> environment, both directors (and the realserver) are actually VMWare
>> Virtual Machines.
>>
>>
>>
>> Lloyd Brown
>> Systems Administrator
>> Fulton Supercomputing Lab
>> Brigham Young University
>> http://marylou.byu.edu
>>
>> On 07/28/2014 11:26 PM, Frank Kirschner wrote:
>>> Hi Lloyd,
>>>
>>> do you have disables SELinux for the RHEL hosts? By the way: also set the
>>> firewall to accept all (later if all is working you should set up a firewall
>>> of cause)
>>>
>>> I wich way you communicate the keepalived between the two directors? Over
>>> Ethernet or serial cable?
>>>
>>> best regards
>>> Frank
>>>
>>> mfg
>>> Frank Kirschner
>>
>> _______________________________________________
>> Please read the documentation before posting - it's available at:
>> http://www.linuxvirtualserver.org/
>>
>> LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
>> Send requests to lvs-users-request@LinuxVirtualServer.org
>> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>>
>
> _______________________________________________
> Please read the documentation before posting - it's available at:
> http://www.linuxvirtualserver.org/
>
> LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
> Send requests to lvs-users-request@LinuxVirtualServer.org
> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
Re: [lvs-users] TCP Connection Sync Problems RHEL [ In reply to ]
On Tue, Jul 29, 2014 at 08:55:16AM -0600, Lloyd Brown wrote:
> Date: Tue, 29 Jul 2014 08:55:16 -0600
> From: Lloyd Brown <lloyd_brown@byu.edu>
> To: lvs-users@linuxvirtualserver.org
> Subject: Re: [lvs-users] TCP Connection Sync Problems RHEL
> List-Id: "LinuxVirtualServer.org users mailing list."
> <lvs-users.linuxvirtualserver.org>
> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101
> Thunderbird/31.0
> Content-Transfer-Encoding: 7bit
>
> Okay. I'm not sure this is the best approach, but adding a simple
> iptables rule for each of the VIPs, to accept any traffic, seems to fix
> the issue of it being stuck in ESTABLISHED.
>
> Thanks again for pointing me in the right direction. One of these days
> I'll have to remember that tcpdump sees packets before iptables, while
> everything else happens after iptables rules are applied.
>
> For anyone else looking at this thread in the archives, here's the total
> list of modifications in the /etc/sysconfig/iptables, from the stock
> RHEL 6.5 setup, that seem to get it working; be sure to substitute in
> the correct values for DIR1IP, DIR2IP, VIP1, and VIP2:
>
> > #VRRP multicast for keepalived
> > -A INPUT -d 224.0.0.18/32 -s DIR1IP/32 -j ACCEPT
> > -A INPUT -d 224.0.0.18/32 -s DIR2IP/32 -j ACCEPT
> > #IPVS connection syncing for keepalived
> > -A INPUT -d 224.0.0.81/32 -s DIR1IP/32 -j ACCEPT
> > -A INPUT -d 224.0.0.81/32 -s DIR2IP/32 -j ACCEPT
> > #All connections for virtual IPs (VIP1 and VIP2)
> > -A INPUT -d VIP1/32 -j ACCEPT
> > -A INPUT -d VIP2/32 -j ACCEPT
>
>
>
> Lloyd Brown
> Systems Administrator
> Fulton Supercomputing Lab
> Brigham Young University
> http://marylou.byu.edu
>
> On 07/29/2014 08:40 AM, Lloyd Brown wrote:
> > Frank,
> >
> > Okay. So disabling SELinux didn't seem to have any effect. But adding
> > iptables rules like these (from /etc/sysconfig/iptables), seemed to get
> > the connection information syncing between directors:
> >
> >> #IPVS connection syncing for keepalived
> >> -A INPUT -d 224.0.0.81/32 -s 192.168.25.9/32 -j ACCEPT
> >> -A INPUT -d 224.0.0.81/32 -s 192.168.25.10/32 -j ACCEPT
> >
> > In this state the connections are still getting stuck in the ESTABLISHED
> > state, instead of transitioning to FIN_WAIT. But when I flush the
> > iptables entirely ("iptables -F" or "service iptables stop"), they seem
> > to transition correctly.
> >
> > In general, I don't like the idea of leaving the iptables completely
> > empty, so I guess I'll have to figure out what specific traffic is
> > getting blocked, that is causing the connections to get stuck in
> > ESTABLISHED. If anyone has any pointers on that one, I'd be glad to
> > hear it.
> >
> > Thanks again for the help,
> >
> > Lloyd Brown
> > Systems Administrator
> > Fulton Supercomputing Lab
> > Brigham Young University
> > http://marylou.byu.edu
> >
> > On 07/29/2014 08:22 AM, Lloyd Brown wrote:
> >> Frank,
> >>
> >> I hadn't thought about SELinux, but I'll check on that. I'm assuming
> >> that the firewall isn't a problem, since I captured the packets on the
> >> backup director. But I'll test both of those, and report back.
> >>
> >> All the communication between servers (both keepalived's VRRP, and the
> >> IPVS connection sync) is going over Ethernet. Since this is a test
> >> environment, both directors (and the realserver) are actually VMWare
> >> Virtual Machines.
> >>
> >>
> >>
> >> Lloyd Brown
> >> Systems Administrator
> >> Fulton Supercomputing Lab
> >> Brigham Young University
> >> http://marylou.byu.edu
> >>
> >> On 07/28/2014 11:26 PM, Frank Kirschner wrote:
> >>> Hi Lloyd,
> >>>
> >>> do you have disables SELinux for the RHEL hosts? By the way: also set the
> >>> firewall to accept all (later if all is working you should set up a firewall
> >>> of cause)
> >>>
> >>> I wich way you communicate the keepalived between the two directors? Over
> >>> Ethernet or serial cable?
> >>>
> >>> best regards
> >>> Frank
> >>>
> >>> mfg
> >>> Frank Kirschner

You shouldn't need anything beyond:

-A INPUT -p vrrp -j ACCEPT

to get keepalived communication working. To allow VRRP traffic for the
Keepalived service to function:

# /sbin/iptables -I INPUT -p vrrp -j ACCEPT
# /sbin/service iptables save

one could also tighten down the source and destination as well. Also,
since this is RHEL, please feel free to reach out to your Red Hat
support representatives in case there is something else that needs
investigating in your particular environment.

--
Thanks,
Brandon
Re: [lvs-users] TCP Connection Sync Problems RHEL [ In reply to ]
Brandon,

I agree that I could probably simplify the iptables rules. But the VRRP
communication was already solved before I opened this thread. The
problem that I started this thread for, had more to do with the IPVS
connection communication synchronization, and the connection status.
While both communication mechanisms are initiated by keepalived, in this
case, they're distinct from each other, and have different transmission
characteristics, etc.


Lloyd Brown
Systems Administrator
Fulton Supercomputing Lab
Brigham Young University
http://marylou.byu.edu

On 07/29/2014 09:29 AM, Brandon Perkins wrote:
> You shouldn't need anything beyond:
>
> -A INPUT -p vrrp -j ACCEPT
>
> to get keepalived communication working. To allow VRRP traffic for the
> Keepalived service to function:
>
> # /sbin/iptables -I INPUT -p vrrp -j ACCEPT
> # /sbin/service iptables save
>
> one could also tighten down the source and destination as well. Also,
> since this is RHEL, please feel free to reach out to your Red Hat
> support representatives in case there is something else that needs
> investigating in your particular environment.
>
> -- Thanks, Brandon

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
Re: [lvs-users] TCP Connection Sync Problems RHEL [ In reply to ]
> -----Original Message-----
> From: lvs-users-bounces@linuxvirtualserver.org
> [mailto:lvs-users-bounces@linuxvirtualserver.org] On Behalf
> Of Lloyd Brown
> Sent: Tuesday, July 29, 2014 4:41 PM
> To: lvs-users@linuxvirtualserver.org
> Subject: Re: [lvs-users] TCP Connection Sync Problems RHEL
>
> Frank,
>
> Okay. So disabling SELinux didn't seem to have any effect.
> But adding iptables rules like these (from
> /etc/sysconfig/iptables), seemed to get the connection
> information syncing between directors:
>
> > #IPVS connection syncing for keepalived -A INPUT -d
> 224.0.0.81/32 -s
> > 192.168.25.9/32 -j ACCEPT -A INPUT -d 224.0.0.81/32 -s
> > 192.168.25.10/32 -j ACCEPT
>
> In this state the connections are still getting stuck in the
> ESTABLISHED state, instead of transitioning to FIN_WAIT. But
> when I flush the iptables entirely ("iptables -F" or "service
> iptables stop"), they seem to transition correctly.
>
> In general, I don't like the idea of leaving the iptables
> completely empty, so I guess I'll have to figure out what
> specific traffic is getting blocked, that is causing the
> connections to get stuck in ESTABLISHED. If anyone has any
> pointers on that one, I'd be glad to hear it.

Lloyd,

hmm, it's senseless doubled but please can you try out what happens if you
add on 1st line:

# /sbin/iptables -I INPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
# /sbin/service iptables save

Do you have any OUTPUT rules in your iptables set?
After disabeling SeLINUX do you have reboot the system?

hope that helps,
best regards
Frank



==============================
Frank Kirschner
IT Services
Celebrate Records GmbH
Am Birkenwaeldchen 2
09366 Stollberg
Germany
mail: frank@celebrate.de
web: www.celebrate.de
fon: +49 37296 9201 60
fax: +49 37296 9201 75
CEO: Carsten Haupt
USt ID: DE 812 617 147
Registered at Country Court Chemnitz
HRB ID: 16308
------------------------------
PGP-Key is available at pgp.mit.edu
------------------------------




_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
Re: [lvs-users] TCP Connection Sync Problems RHEL [ In reply to ]
On 07/30/2014 01:44 AM, Frank Kirschner wrote:
> Lloyd,
>
> hmm, it's senseless doubled but please can you try out what happens if you
> add on 1st line:
>
> # /sbin/iptables -I INPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
> # /sbin/service iptables save


Frank,

I can try it, but I'm not sure what you're expecting to see. I have a
working setup, so without understanding what you're expecting to happen,
I'm not sure what to look for.

And there is already this one in the stock setup:

> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

While it's not exactly the same, the only difference would be the "NEW"
flag. I'm not sure what benefit that would be, other than accepting all
new connections (if I'm understanding the flag correctly). While this
would probably work for at least some of the stuff I'm doing, it seems
excessively open. I could also flush all the tables (iptables -F), and
get it working, but it doesn't mean I want to leave my server quite so
open and unprotected.



>
> Do you have any OUTPUT rules in your iptables set?

Nope. I've checked all 4 tables (raw, mangle, nat, filter) that I can
find that have an OUTPUT chain, and there doesn't seem to be anything in
any of them. I certainly hadn't done it on purpose, and it doesn't seem
to be a part of the stock RHEL setup.


> After disabeling SeLINUX do you have reboot the system?

Yes. You do need to reboot to disable SELinux. And I did. And it
didn't have any effect, as far as I could tell.

>
> hope that helps,
> best regards
> Frank

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
Re: [lvs-users] TCP Connection Sync Problems RHEL [ In reply to ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 07/30/2014 04:35 PM, Lloyd Brown wrote:
>
> On 07/30/2014 01:44 AM, Frank Kirschner wrote:
>> Lloyd,
>>
>> hmm, it's senseless doubled but please can you try out what
>> happens if you add on 1st line:
>>
>> # /sbin/iptables -I INPUT -m state --state
>> NEW,RELATED,ESTABLISHED -j ACCEPT # /sbin/service iptables save
>
>
> Frank,
>
> I can try it, but I'm not sure what you're expecting to see. I
> have a working setup, so without understanding what you're
> expecting to happen, I'm not sure what to look for.
>
> And there is already this one in the stock setup:
>
>> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> While it's not exactly the same, the only difference would be the
> "NEW" flag. I'm not sure what benefit that would be, other than
> accepting all new connections (if I'm understanding the flag
> correctly). While this would probably work for at least some of
> the stuff I'm doing, it seems excessively open. I could also flush
> all the tables (iptables -F), and get it working, but it doesn't
> mean I want to leave my server quite so open and unprotected.
>
>
>
>>
>> Do you have any OUTPUT rules in your iptables set?
>
> Nope. I've checked all 4 tables (raw, mangle, nat, filter) that I
> can find that have an OUTPUT chain, and there doesn't seem to be
> anything in any of them. I certainly hadn't done it on purpose,
> and it doesn't seem to be a part of the stock RHEL setup.
>
>
>> After disabeling SeLINUX do you have reboot the system?
>
> Yes. You do need to reboot to disable SELinux. And I did. And
> it didn't have any effect, as far as I could tell.

Hi, that is not entirely true. One can disable SELinux at runtime for
quite a while now:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/sec-sel-enable-disable-enforcement.html

>> hope that helps, best regards Frank

Best,

Timo


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iF4EAREIAAYFAlPZIlEACgkQuSPmkPhAW0pwXwD/WJRCKMDNTCylKtwYKjVHtxxI
YQpcfcfwzNObUM7z/c0A+wQrg0D4P7DXybx0pp/lRqXq5MQzSRIRz881XQjwmRob
=skUA
-----END PGP SIGNATURE-----

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
Re: [lvs-users] TCP Connection Sync Problems RHEL [ In reply to ]
> -----Original Message-----
> From: lvs-users-bounces@linuxvirtualserver.org
> [mailto:lvs-users-bounces@linuxvirtualserver.org] On Behalf
> Of Timo Schöler
> Sent: Wednesday, July 30, 2014 6:51 PM
> To: lvs-users@linuxvirtualserver.org
> Subject: Re: [lvs-users] TCP Connection Sync Problems RHEL
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On 07/30/2014 04:35 PM, Lloyd Brown wrote:
> >
> > On 07/30/2014 01:44 AM, Frank Kirschner wrote:
> >> Lloyd,
> >>
> >> hmm, it's senseless doubled but please can you try out
> what happens
> >> if you add on 1st line:
> >>
> >> # /sbin/iptables -I INPUT -m state --state
> NEW,RELATED,ESTABLISHED -j
> >> ACCEPT # /sbin/service iptables save
> >
> >
> > Frank,
> >
> > I can try it, but I'm not sure what you're expecting to
> see. I have a
> > working setup, so without understanding what you're expecting to
> > happen, I'm not sure what to look for.
> >
> > And there is already this one in the stock setup:
> >
> >> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> >
> > While it's not exactly the same, the only difference would be the
> > "NEW" flag. I'm not sure what benefit that would be, other than
> > accepting all new connections (if I'm understanding the flag
> > correctly). While this would probably work for at least
> some of the
> > stuff I'm doing, it seems excessively open. I could also flush all
> > the tables (iptables -F), and get it working, but it doesn't mean I
> > want to leave my server quite so open and unprotected.
> >
> >
> >
> >>
> >> Do you have any OUTPUT rules in your iptables set?
> >
> > Nope. I've checked all 4 tables (raw, mangle, nat, filter)
> that I can
> > find that have an OUTPUT chain, and there doesn't seem to
> be anything
> > in any of them. I certainly hadn't done it on purpose, and
> it doesn't
> > seem to be a part of the stock RHEL setup.
> >
> >
> >> After disabeling SeLINUX do you have reboot the system?
> >
> > Yes. You do need to reboot to disable SELinux. And I did. And it
> > didn't have any effect, as far as I could tell.
>
> Hi, that is not entirely true. One can disable SELinux at
> runtime for quite a while now:
>
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterpri
> se_Linux/5/html/Deployment_Guide/sec-sel-enable-disable-enforc
> ement.html
>
> >> hope that helps, best regards Frank
>
> Best,


Sorry, have not seen the ESTABLISHED,RELATED line in front of your fw table
set.
I want to go safe to have all states (also additional NEW) in this rules.

best regards
Frank


_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users