What I would need: Could someone with a RH5 cluster, with IPTables running, please post their iptables info? What I have: I hate to sound like an idiot there, but I just can't understand what is happening with IPTables and linux HA. I have 3 servers running RH5, dal-xcp-11(192.168.1.1), dal-xcp-12(192.168.1.2) and dal-xcp-13 (192.168.1.3) clustered together in an Active/Active/Standby configuration. With IPTables turned off my cluster performs flawlessly. (Finally.) This is what my ha.cf looks like on all 3 machines: crm on auto_failback on logfacility local0 logfile /var/log/hb.log # Heartbeat logfile. debugfile /var/log/heartbeat-debug.log # Debugging logfile. apiauth mgmtd uid=root respawn root /usr/lib/heartbeat/mgmtd -v keepalive 10 deadtime 30 warntime 20 initdead 120 udpport 894 respawn root /usr/lib/heartbeat/hbagent mcast eth0 237.0.1.1 894 1 0 respawn hacluster /usr/lib/heartbeat/ipfail node dal-xcp-11.prodea-lo.net node dal-xcp-21.prodea-lo.net node dal-xcp-12.prodea-lo.net
The multicast IP and port I'm using are 237.0.1.1 port 894. Along with the other lines in my normal IPTables setup, I add the following line for HA. Am I missing something here? I would have thought that adding these two lines for the IP and port would have been enough. Does HB have other ports that it uses by default that I don't have listed? -A RH-Firewall-1-INPUT -d 237.0.1.1 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 894 -j ACCEPT . . . -A RH-Firewall-1-INPUT -j LOG --log-prefix "Reject Traffic " --log-level 6 -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited Hell, I've even tried adding these lines, but it seems after a few minutes that it stops working too: -A RH-Firewall-1-INPUT -s 192.168.1.1 -j ACCEPT -A RH-Firewall-1-INPUT -s 192.168.1.3 -j ACCEPT -A RH-Firewall-1-INPUT -s 192.168.1.4 -j ACCEPT When I turn on IPTables, I don't see any packets being rejected (and logged to /var/log/messages), but the multicast packets from the other two hosts stop showing up on the single server that I turned IPTables on for. doign a tcpdump on port894 on the server that has IPTables turned on (dal-xcp-12), I see the following. No packets from dal-xcp-11 or dal-xcp-21. On those two, I do see packets from all of the servers in the cluster. 15:06:11.116476 IP dal-xcp-12.prodea-lo.net.32965 > 237.0.1.1.894: UDP, length 221 15:06:21.117204 IP dal-xcp-12.prodea-lo.net.32965 > 237.0.1.1.894: UDP, length 221 15:06:31.117176 IP dal-xcp-12.prodea-lo.net.32965 > 237.0.1.1.894: UDP, length 235 15:06:31.117194 IP dal-xcp-12.prodea-lo.net.32965 > 237..0.1.1.894: UDP, length 221 15:06:41.118242 IP dal-xcp-12.prodea-lo.net.32965 > 237.0.1.1.894: UDP, length 221 15:06:51.118669 IP dal-xcp-12.prodea-lo.net.32965 > 237.0.1.1.894: UDP, length 221 15:07:01.119928 IP dal-xcp-12.prodea-lo.net.32965 > 237.0.1.1.894: UDP, length 221 15:07:11.121685 IP dal-xcp-12.prodea-lo.net.32965 > 237.0.1.1.894: UDP, length 221 Quite often, at this point, one of the OTHER two blades reboots with the message: dal-xcp-21 heartbeat: [3079]: EMERG: Rebooting system. Reason: /usr/lib/heartbeat/crmd But that (I think) is another issue Any help would be greatly appreciated. Michael. _______________________________________________ Linux-HA mailing list [email protected] http://lists.linux-ha.org/mailman/listinfo/linux-ha See also: http://linux-ha.org/ReportingProblems
