Firewall Question
 

I have setup a LVS system. I just want to display a web page to see if my LVS configuration is working. However when I try to display a test web site (http://www.tib.com), it times out. On the Virtual server, there is no error in the /var/log/httpd/access-log or /var/log/messages or /var/log/piranha/piranha.

I am getting suspicious that the firewall on the Virtual Server is blocking the web query!

Can somebody look at the "iptable" list (see below) and tell me if it is blocking the WEB query or not? FYI, I have not changed the iptables after setting the LVS except opening the HTTP port. In the LVS documentation there is a mention of "Firewall Marks"but I am using them yet.

Please help.

[root@vs1 ~]# /sbin/service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination

Chain RH-Firewall-1-INPUT (2 references)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255
3 ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
4 ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0
5 ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353
6 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:631
7 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:631
8 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
9 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:2049
10 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
11 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
12 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

[root@vs1 ~]#

---------
lvs.cf
serial_no = 17
primary = 65.103.190.106
primary_private = 192.168.1.1
service = lvs
backup_active = 1
backup = 65.103.190.108
backup_private = 192.168.1.2
heartbeat = 1
heartbeat_port = 539
keepalive = 6
deadtime = 18
network = nat
nat_router = 192.168.1.254 eth1:1
nat_nmask = 255.255.255.0
debug_level = NONE
monitor_links = 0
syncdaemon = 0
virtual HTTP {
active = 1
address = 65.103.190.107 eth0:1
vip_nmask = 255.255.255.248
port = 80
send = "GET / HTTP/1.0\r\n\r\n"
expect = "HTTP"
use_regex = 0
load_monitor = none
scheduler = wlc
protocol = tcp
timeout = 6
reentry = 15
quiesce_server = 0
server rs1 {
address = 192.168.1.10
active = 1
weight = 1000
}
}

You can see for yourself with the command:
iptables -L -v --line-numbers

It shows you counts for each rule. Hit the service a couple times and if you see the counter incrementing, you know it's blocking.

I suspect that rule 8 and 11 in your RH-Firewall-1-INPUT chain are allowing the traffic.