On Sat, Aug 23, 2008 at 11:47:44AM +0200, KrisR wrote: > I'd like to prevent people from using services on ha-nodes via > their real addresses and to make them use the virtual IP. > Let me clear it a bit. Let say that I have two servers HA1 and HA2 > with eth0 192.168.1.251 and 192.168.1.252 respectively. > In the haresources file is defined smth like > IPaddr2::192.168.1.254/24/eth0/192.168.1.255 \ > nfslock \ > nfs \ > ... > > Is it possible to set linux firewall so that all requests; for > example; to eth0 port:111 (NFS) should be blocked and these to > eth0:0 port:111 should be allowed? If yes -- could somebody > explain me how to make it with iptables?
You can't target interface aliases with iptables, as the packets are actually received by the "real" interface. You can however block based on destination address, which should be sufficient for your needs. For example: iptables -A INPUT -i eth0 -p udp -d 192.168.1.251 --dport 111 -j DROP; iptables -A INPUT -i eth0 -p tcp -d 192.168.1.251 --dport 111 -j DROP; You might want to use -j REJECT instead of drop. In particular for TCP connections you can use "-j REJECT --reject-with tcp-reset" in order to send back RST packets, which will give anyone who tries to connect an immediate "connection refused" message, rather than timing out due to lack of response (which is what DROP will do). You can enter "iptables -j REJECT --help" to see a list of rejection types. By default it'll send an ICMP "Port Unreachable" response. Another thing to consider is setting your local firewall to drop everything that's not specifically permitted, and then allow access to the services on whatever your virtual IP is. If you do this, you'll also need to make sure you permit heartbeat traffic and you'll probably want to allow SSH and other administrative traffic to the server's particular IP address. _______________________________________________ Linux-HA mailing list [email protected] http://lists.linux-ha.org/mailman/listinfo/linux-ha See also: http://linux-ha.org/ReportingProblems
