On Tue, 2008-06-24 at 08:14 -0700, Michael Toler wrote: > What I would need: > Could someone with a RH5 cluster, with IPTables running, please post their > iptables info? > What I have: > I hate to sound like an idiot there, but I just can't understand what is > happening with IPTables and linux HA. > I have 3 servers running RH5, dal-xcp-11(192.168.1.1), > dal-xcp-12(192.168.1.2) and dal-xcp-13 (192.168.1.3) clustered together in an > Active/Active/Standby configuration. > With IPTables turned off my cluster performs flawlessly. (Finally.) > This is what my ha.cf looks like on all 3 machines: > crm on > auto_failback on > logfacility local0 > logfile /var/log/hb.log # Heartbeat logfile. > debugfile /var/log/heartbeat-debug.log # Debugging logfile. > apiauth mgmtd uid=root > respawn root /usr/lib/heartbeat/mgmtd -v > keepalive 10 > deadtime 30 > warntime 20 > initdead 120 > udpport 894 > respawn root /usr/lib/heartbeat/hbagent > mcast eth0 237.0.1.1 894 1 0 > respawn hacluster /usr/lib/heartbeat/ipfail > node dal-xcp-11.prodea-lo.net > node dal-xcp-21.prodea-lo.net > node dal-xcp-12.prodea-lo.net > > The multicast IP and port I'm using are 237.0.1.1 port 894. Along with the > other lines in my normal IPTables setup, I add the following line for HA. Am > I missing something here? I would have thought that adding these two lines > for the IP and port would have been enough. Does HB have other ports that it > uses by default that I don't have listed? > -A RH-Firewall-1-INPUT -d 237.0.1.1 -j ACCEPT > -A RH-Firewall-1-INPUT -p udp -m udp --dport 894 -j ACCEPT > . . . > -A RH-Firewall-1-INPUT -j LOG --log-prefix "Reject Traffic " --log-level 6 > -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited > > Hell, I've even tried adding these lines, but it seems after a few minutes > that it stops working too: > -A RH-Firewall-1-INPUT -s 192.168.1.1 -j ACCEPT > -A RH-Firewall-1-INPUT -s 192.168.1.3 -j ACCEPT > -A RH-Firewall-1-INPUT -s 192.168.1.4 -j ACCEPT > I believe you have to set the packet type to match: iptables -A INPUT -m pkttype --pkt-type multicast -d 237.0.1.1 -j ACCEPT
HTH, Rubin > When I turn on IPTables, I don't see any packets being rejected (and logged > to /var/log/messages), but the multicast packets from the other two hosts > stop showing up on the single server that I turned IPTables on for. > doign a tcpdump on port894 on the server that has IPTables turned on > (dal-xcp-12), I see the following. No packets from dal-xcp-11 or dal-xcp-21. > On those two, I do see packets from all of the servers in the cluster. > 15:06:11.116476 IP dal-xcp-12.prodea-lo.net.32965 > 237.0.1.1.894: UDP, > length 221 > 15:06:21.117204 IP dal-xcp-12.prodea-lo.net.32965 > 237.0.1.1.894: UDP, > length 221 > 15:06:31.117176 IP dal-xcp-12.prodea-lo.net.32965 > 237.0.1.1.894: UDP, > length 235 > 15:06:31.117194 IP dal-xcp-12.prodea-lo.net.32965 > 237..0.1.1.894: UDP, > length 221 > 15:06:41.118242 IP dal-xcp-12.prodea-lo.net.32965 > 237.0.1.1.894: UDP, > length 221 > 15:06:51.118669 IP dal-xcp-12.prodea-lo.net.32965 > 237.0.1.1.894: UDP, > length 221 > 15:07:01.119928 IP dal-xcp-12.prodea-lo.net.32965 > 237.0.1.1.894: UDP, > length 221 > 15:07:11.121685 IP dal-xcp-12.prodea-lo.net.32965 > 237.0.1.1.894: UDP, > length 221 > > Quite often, at this point, one of the OTHER two blades reboots with the > message: > dal-xcp-21 heartbeat: [3079]: EMERG: Rebooting system. Reason: > /usr/lib/heartbeat/crmd > But that (I think) is another issue > Any help would be greatly appreciated. > Michael. > > > > _______________________________________________ > Linux-HA mailing list > [email protected] > http://lists.linux-ha.org/mailman/listinfo/linux-ha > See also: http://linux-ha.org/ReportingProblems -- Rubin Bennett RB Technologies http://thatitguy.com [EMAIL PROTECTED] (802)223-4448 "They that can give up essential liberty to obtain a little temporary security deserve neither liberty nor safety" --Benjamin Franklin, Historical Review of Pennsylvania, 1759 _______________________________________________ Linux-HA mailing list [email protected] http://lists.linux-ha.org/mailman/listinfo/linux-ha See also: http://linux-ha.org/ReportingProblems
