Hi,
I am struggling with how to create appropriate rules for dealing with IPVS
IPIP encapsulated traffic. I would like to achieve the following:
- divide certain networks into named definitions and of varying categories
(i.e. our own networks, customer networks, etc)
- allow these networks directly to certain services
- allow the same networks to certain load balanced services (using IPVS
TUN)
I have two load balancers each running keepalived/IPVS, as well as the real
services.
I have used zones and hosts to define named groups of services. As each
server has an outward and an inward facing NIC, I have defined "ext" and
"int" zones accordingly, along with zones named admin and customer (with
appropriate networks listed in hosts).
What I would like to achieve would be a chain where I can open for traffic
based on original src and real destination (a VIP on the respective
server), however what I get instead is the unencapsulated IPIP traffic in
the ext chain (with src = other load balancer in pair and dst = this
server), where it drops through all the rules and gets rejected.
As I have been trawling through both the Shorewall docs and google to no
avail, I was wondering if anyone could point me to the correct place to
continue digging? Any specific help would of course be greatly appreciated
- please let me know what further information I can supply.
Best regards
Jan
------------------------------------------------------------------------------
Monitor Your Dynamic Infrastructure at Any Scale With Datadog!
Get real-time metrics from all of your servers, apps and tools
in one place.
SourceForge users - Click here to start your Free Trial of Datadog now!
http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
