[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Rejecting connections to from eth0


Turbo Fredriksson a écrit :
> I get a lot of port scans to and they MUST be comming
> from eth0!
> I thought that rules like this should suffice, but it doesn't
> seem like it does:
> ----- s n i p -----
> # Setting up connections to via external interface
> /sbin/iptables -A INPUT -i eth0 -d -j REJECT --reject-with tcp-reset --protocol tcp
> /sbin/iptables -A INPUT -i eth0 -d -j DROP --protocol udp
> ----- s n i p -----
One point : There is a case where you'll want to ACCEPT this - certainly
weird - traffic to at eth0 :

If you are using IPVS to load-balance your traffic, it often doesn't
work when the real server itself want to access your load-balanced service.
To solve this, it's common to use
    iptables -I OUTPUT -d <your_load_balanced_ip> -j REDIRECT
So that the traffic going to the load-balanced ip address from your real
backend servers will be redirected to the local address.
I found that this case create strange packets whose destination is and incoming interface is eth0 ...
So the firewall rule up there should not be used on a real-server behind
an ipvs load-balancer.
    (it took me 1 hour to find the reason why this redirect didn't work
... )

Benjamin Sonntag

Reply to: