Well :) that is a good question - desired by who :) ACLs are applied on routined traffic (i.e. traffic between networks), so here its simply not aplicable - you connect to LOCAL port/service on VR (imagine port 22 as in mine example, but otherwise default rules are all DENY, so you can't access haproxy if you just i.e. manually install and configure haproxy listener on port 22 - but when you do it via GUI, additional rule is added to iptables, to allow actually this connect (to port 22 = -A INPUT -d 185.39.xxx.yyy/32 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT )
So if you enabled LB serices on specific port, ACS will make sure it's allowed inside iptables... For inter-traffic network, you you classic ACL. Hope that help Andrija On 14 February 2018 at 11:34, S. Reddit <[email protected]> wrote: > Hi Andrija > > Wow - thanks for in-depth analysis! I already suspected HAProxy services > not hitting iptables chain. > > Thanks for clarification, I see that the behaviour is EXPECTED, is it also > DESIRED? > > Regards, > Samuel > -- Andrija Panić
