Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Linux Virtual Server>
  3. Users
[lvs-users] Blocking LVS probles with iptables
h.b.furuseth at usit
Nov 20, 2017, 6:38 AM
Post #1 of 3 (605 views)
Permalink
I want a realserver to temporarily tell the load balancer to not
send new connections, but to keep old connections. This seems to
work, is it OK?

LB_dip=111.22.33.44/31 # Load balancer - director
iptables -A INPUT -i eth0 -s $LB_dip -p tcp --syn -j REJECT \
-m time --datestop 2017-11-20T18:30

Tunneling/Direct routing. LVS probes just connect and disconnect.

I don't remember why the --syn is there, maybe we should drop it
for simplicity. The --datestop is because we'll forget to unblock
probes someday, and then we'd wonder why the server doesn't work.

Should make an IPv6 version too.



Full "minimal" iptables, interested in nothing but load balancing:

LB_dip=111.22.33.44/31 # Load balancer - director
LB_vip=111.22.33.55 # Load balancer - virtual IP address

# Handle most of the traffic early. Not needed in with these minimal rules.
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# Let through tunnel traffic from load balancer
-A INPUT -i eth0 -s $LB_dip -p 4 -j ACCEPT
-A INPUT -i tunl0 -j ACCEPT

# LB_hook is usually empty
-N LB_hook
-A INPUT -j LB_hook
# Temporarily blocking new connections from load balancer.
-A LB_hook -i eth0 -s $LB_dip -p tcp --syn -j REJECT \
-m time --datestop 2017-11-20T18:30

# Reject ipip tunnel traffic from elsewhere than $LB_dip
-A INPUT -p 4 -j DROP

# Keep packets small enough to fit in a tunneled packet
-A OUTPUT -s $LB_vip -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN,ACK -j
TCPMSS --set-mss 1440

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
Re: [lvs-users] Blocking LVS probles with iptables [ In reply to ]
ms at sys4
Nov 20, 2017, 6:55 AM
Post #2 of 3 (605 views)
Permalink
Am 20.11.2017 um 15:38 schrieb Hallvard Breien Furuseth:
> I want a realserver to temporarily tell the load balancer to not
> send new connections, but to keep old connections. This seems to
> work, is it OK?

Why you just set its weight to zero?

> LB_dip=111.22.33.44/31 # Load balancer - director
> iptables -A INPUT -i eth0 -s $LB_dip -p tcp --syn -j REJECT \
> -m time --datestop 2017-11-20T18:30
>
> Tunneling/Direct routing. LVS probes just connect and disconnect.
>
> I don't remember why the --syn is there, maybe we should drop it
> for simplicity. The --datestop is because we'll forget to unblock
> probes someday, and then we'd wonder why the server doesn't work.
>
> Should make an IPv6 version too.
>
>
>
> Full "minimal" iptables, interested in nothing but load balancing:
>
> LB_dip=111.22.33.44/31 # Load balancer - director
> LB_vip=111.22.33.55 # Load balancer - virtual IP address
>
> # Handle most of the traffic early. Not needed in with these minimal rules.
> -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
>
> # Let through tunnel traffic from load balancer
> -A INPUT -i eth0 -s $LB_dip -p 4 -j ACCEPT
> -A INPUT -i tunl0 -j ACCEPT
>
> # LB_hook is usually empty
> -N LB_hook
> -A INPUT -j LB_hook
> # Temporarily blocking new connections from load balancer.
> -A LB_hook -i eth0 -s $LB_dip -p tcp --syn -j REJECT \
> -m time --datestop 2017-11-20T18:30
>
> # Reject ipip tunnel traffic from elsewhere than $LB_dip
> -A INPUT -p 4 -j DROP
>
> # Keep packets small enough to fit in a tunneled packet
> -A OUTPUT -s $LB_vip -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN,ACK -j
> TCPMSS --set-mss 1440
>
> _______________________________________________
> Please read the documentation before posting - it's available at:
> http://www.linuxvirtualserver.org/
>
> LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
> Send requests to lvs-users-request@LinuxVirtualServer.org
> or go to http://lists.graemef.net/mailman/listinfo/lvs-users


Mit freundlichen Grüßen,

--

[*] sys4 AG

https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein

Attached Files:

Re: [lvs-users] Blocking LVS probles with iptables [ In reply to ]
h.b.furuseth at usit
Nov 20, 2017, 8:15 AM
Post #3 of 3 (605 views)
Permalink
On 20/11/17 15:55, Michael Schwartzkopff wrote:
> Am 20.11.2017 um 15:38 schrieb Hallvard Breien Furuseth:
>> I want a realserver to temporarily tell the load balancer to not
>> send new connections, but to keep old connections. This seems to
>> work, is it OK?
>
> Why you just set its weight to zero?


Then I'd have to mail the people running the load balancer.
Or am I missing some existing protocol which lets me do this?

Anyway, it seems simpler and cleaner if the realserver's state vs.
the load balancer is kept fully on the realserver - if iptables is a
clean solution, anyway:-) E.g. in the shutdown script, to disturb
clients as little as possible when taking a realserver down:

1. Block LVS probes temporarily.
2. Wait at least until the load balancer has noticed this, so new
clients won't get failed connections to this server, and short-
lived clients get a chance to finish without losing connections.
3. Shutdown / reboot / whatever.

--
Hallvard

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal