netfilter SYNPROXY with LVS NAT

Since version 3.12 of the Linux kernel the netfilter subsystem has included a SYN proxy target, allowing for much lighter weight handling of SYN packets and thus much greater resilience in the face of SYN flood attacks.

While there is plenty of information online about how to protect against SYN floods using this target in the INPUT and FORWARD chains of a Linux system there is an undesirable interaction with the NAT mode of the Linux Virtual Server load balancer.

By default if packets are directed to the SYNPROXY target in the INPUT chain of an LVS-NAT director a SYN / SYN-ACK loop between connecting clients and the director will result, and packets will not be forwarded on to the real servers behind the director.

The solution to this is to enable the vs_nfct module to replicate LVS connection tracking state in to netfilter:

sysctl -w net.ipv4.vs.conntrack=1

Once this option is enabled SYNPROXY should work as normal with LVS in NAT mode.

[DIR] Back to Projects