Built into the Linux kernel is a firewall facility called
ipchains. When Load Balancer and ipchains run concurrently, Load Balancer
sees packets first, followed by ipchains. This allows the use of ipchains
to harden a Linux Load Balancer machine, which could be, for example,
a Load Balancer machine that is used to load balance firewalls.
About this task
In general, an appropriate ipchains strategy for the Load
Balancer machines is to disallow all traffic, except that which is
to or from the back-end servers, the partner high availability Load
Balancer, any reach targets, or any configuration hosts.
It is not recommended to activate iptables when running
Load Balancer on Linux kernel version 2.4.10.x. Activation on this
Linux kernel version can result in performance degradation over time.
Procedure
- To activate iptables or ipchains, configure them to be
completely restricted, so no inbound or outbound traffic permitted.
The packet-forwarding portion of Load Balancer continues to function
normally.
Some additional traffic must be permitted
for all of Load Balancer to function properly. Some examples of this
communication are:
- Advisors communicate between the Load Balancer machine and the
back-end servers.
- Load Balancer pings back-end servers, reach targets, and high
availability partner Load Balancer machines.
- User interfaces (graphical user interface, command line, and wizards)
use RMI.
- Back-end servers must respond to pings from the Load Balancer
machine.
- To deactivate iptables:
- List the modules which are using ip_tables and ip_conntrack.
Issue the following command:
lsmod
- Remove them by issuing the following commands:
rmmod ip_tables
rmmod ip_conntrack
When you reboot the machine these
modules will be added again, so you need to repeat these steps each
time you reboot.