[Linux-HA] Surprising behaviour of heartbeat + iptables

Niko Thu, 11 Dec 2008 06:10:28 -0800

Hi all,

This might be either quick or a wonder.


OS: RHEL v4.0
Heartbeat version: 2.0.8 (no chance to update it for the moment, though I am
working on it).

I have found out the following behaviour which surprises me a bit.

Basically, I have an A/P linux-ha cluster, with two nodes, each an iptables.
Both nodes have two interfaces (.26.* is external, .45.* is internal, not
that it does actually matter).
Both nodes have iptables rules to ensure NAT, and pretty secure traffic.

While both nodes are in the cluster, everything seems ok. crm_mon shows up
with everything fine.
If I shut down the active node, all goes fine.
Passive node takes up resources ok.

The next step would be to fix the "failed" node, and once fixed, startup
again heartbeat. THIS doesn't work.
No way the node joins again the cluster.
BUT if I flush the normal iptables rules (iptables -F, iptables -X, iptables
-Z), ON BOTH NODES, it still doesn't seem to work.
I have to flush the NAT rules AS WELL to be successful at joining again the
node into the cluster.

Now my question is: How can the NAT rules affect the joining or not the
cluster?

Then a weird thing happens when shutting down the ha services: if done
orderly, /etc/init.d/heartbeat stop, it doesn't work.
If I flush Firewall rules, on BOTH nodes, then only may it work.

The problem is, under nominal circumstance, I would need to keep the NAT
rules up and running at all times, using the cluster IP...
I put down these lines the iptables config script. I am pretty sure it is an
iptables issue...

I'm sorry to say I don't have the logs here, but I'm sure you experts could
find an error on the IPTABLES config I am still missing :S

If logs are needed, or cib.xml, or ha.cf, etc... I could provide it at a
later time only...

Thanks in advance to you all :)

Nicolas.
---------------------------------------------------------------------------------------------------------
Nodes config:
fw1: extIP: 192.168.26.135
       intIP: 192.156.45.135
fw2: extIP: 192.168.26.243
       intIP: 192.168.45.243
Cluster IP:
 On external interface: eth1: 192.168.26.100
 On internal interface: eth0: 192.168.45.1
---------------------------------------------------------------------------------------------------------

<<< iptables script (extract of iptables rules only) launched on any of the
nodes startup >>>
$IPTABLES --flush
$IPTABLES -t nat --flush
$IPTABLES -P OUTPUT  DROP
$IPTABLES -P INPUT   DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#
# NAT Needed
#
$IPTABLES -t nat -A POSTROUTING -o eth1  -s 192.168.45.252 -j SNAT
--to-source 192.168.26.100
$IPTABLES -t nat -A POSTROUTING -o eth1  -s 192.168.45.244 -j SNAT
--to-source 192.168.26.100
$IPTABLES -t nat -A POSTROUTING -o eth1  -s 192.168.45.100 -j SNAT
--to-source 192.168.26.100

#
# NAT Needed
#
$IPTABLES -t nat -A PREROUTING  -p tcp -m tcp -m multiport   -d
192.168.26.100 --dports 8880,8887 -j DNAT --to-destination 192.168.45.100

#
# anti spoofing rule
#
$IPTABLES -N In_RULE_0
$IPTABLES -A INPUT  -i eth1  -s 192.168.26.100  -j In_RULE_0
$IPTABLES -A INPUT  -i eth1  -s 192.168.45.1  -j In_RULE_0
$IPTABLES -A INPUT  -i eth1  -s 192.168.45.0/24  -j In_RULE_0
$IPTABLES -A FORWARD  -i eth1  -s 192.168.26.100  -j In_RULE_0
$IPTABLES -A FORWARD  -i eth1  -s 192.168.45.1  -j In_RULE_0
$IPTABLES -A FORWARD  -i eth1  -s 192.168.45.0/24  -j In_RULE_0
$IPTABLES -A In_RULE_0  -j LOG  --log-level info --log-prefix "RULE 0 --
DENY "
$IPTABLES -A In_RULE_0  -j DROP

#
# Loopback interface traffic allowed
#
$IPTABLES -A INPUT  -i lo  -m state --state NEW  -j ACCEPT
$IPTABLES -A OUTPUT  -o lo  -m state --state NEW  -j ACCEPT

#
# SSH Access to firewall is permitted
# only from internal network.
#
$IPTABLES -A INPUT -p tcp -m tcp  -s 192.168.45.0/24  --dport 22  -m state
--state NEW  -j ACCEPT

#
# Inter-FWs traffic allowed
#
$IPTABLES -A INPUT  -s 192.168.45.235  -m state --state NEW  -j ACCEPT
$IPTABLES -A INPUT  -s 192.168.45.243  -m state --state NEW  -j ACCEPT
# Idem for UDP Traffic
$IPTABLES -A INPUT  -s 192.168.45.235  -p udp -m udp   -j ACCEPT
$IPTABLES -A INPUT  -s 192.168.45.243  -p udp -m udp   -j ACCEPT
# Idem for external interface traffic
$IPTABLES -A INPUT  -s 192.168.26.235  -m state --state NEW  -j ACCEPT
$IPTABLES -A INPUT  -s 192.168.26.243  -m state --state NEW  -j ACCEPT
# Idem for UDP Traffic
$IPTABLES -A INPUT  -s 192.168.26.235  -p udp -m udp   -j ACCEPT
$IPTABLES -A INPUT  -s 192.168.26.243  -p udp -m udp  -j ACCEPT

#
# Inter-FWs traffic allowed
#
$IPTABLES -A OUTPUT  -d 192.168.45.235  -m state --state NEW  -j ACCEPT
$IPTABLES -A OUTPUT  -d 192.168.45.243  -m state --state NEW  -j ACCEPT
# Idem for UDP Traffic
$IPTABLES -A OUTPUT  -d 192.168.45.235  -p udp -m udp   -j ACCEPT
$IPTABLES -A OUTPUT  -d 192.168.45.243  -p udp -m udp   -j ACCEPT
# Idem for external interface traffic
$IPTABLES -A OUTPUT  -s 192.168.26.235  -m state --state NEW  -j ACCEPT
$IPTABLES -A OUTPUT  -s 192.168.26.243  -m state --state NEW  -j ACCEPT
# Idem for UDP Traffic
$IPTABLES -A OUTPUT  -d 192.168.26.235  -p udp -m udp   -j ACCEPT
$IPTABLES -A OUTPUT  -d 192.168.26.243  -p udp -m udp   -j ACCEPT

#
# Inter-FWs traffic allowed
#
$IPTABLES -A FORWARD -d 192.168.45.235  -m state --state NEW  -j ACCEPT
$IPTABLES -A FORWARD -d 192.168.45.243  -m state --state NEW  -j ACCEPT
# Idem for UDP Traffic
$IPTABLES -A FORWARD -d 192.168.45.235  -p udp -m udp   -j ACCEPT
$IPTABLES -A FORWARD -d 192.168.45.243  -p udp -m udp   -j ACCEPT
# Idem for external interface traffic
$IPTABLES -A FORWARD -s 192.168.26.235  -m state --state NEW  -j ACCEPT
$IPTABLES -A FORWARD -s 192.168.26.243  -m state --state NEW  -j ACCEPT
# Idem for UDP Traffic
$IPTABLES -A FORWARD -d 192.168.26.235  -p udp -m udp   -j ACCEPT
$IPTABLES -A FORWARD -d 192.168.26.243  -p udp -m udp   -j ACCEPT

#
# NTP Traffic Permission
#
$IPTABLES -A OUTPUT  -d 192.168.45.227  -m state --state NEW  -j ACCEPT
$IPTABLES -A INPUT -p udp -m udp  -s 192.168.45.227  --dport 123  -m state
--state NEW  -j ACCEPT

#
$IPTABLES -A OUTPUT  -d 192.168.45.252  -m state --state NEW  -j ACCEPT
$IPTABLES -A OUTPUT  -d 192.168.45.244  -m state --state NEW  -j ACCEPT
$IPTABLES -A OUTPUT  -d 192.168.45.100  -m state --state NEW  -j ACCEPT

#
$IPTABLES -A INPUT  -s 192.168.45.252  -m state --state NEW  -j ACCEPT
$IPTABLES -A INPUT  -s 192.168.45.244  -m state --state NEW  -j ACCEPT
$IPTABLES -A INPUT  -s 192.168.45.100  -m state --state NEW  -j ACCEPT

#
# All other attempts to connect to
# the firewall are denied and logged
#
$IPTABLES -N RULE_11
$IPTABLES -A OUTPUT -d 192.168.26.100  -j RULE_11
$IPTABLES -A OUTPUT -d 192.168.45.1  -j RULE_11
$IPTABLES -A INPUT -j RULE_11
$IPTABLES -A RULE_11 -j LOG  --log-level info --log-prefix "RULE 11 -- DENY
"
$IPTABLES -A RULE_11 -j DROP

#
# Ensure IP FORWARD
#
echo 1 > /proc/sys/net/ipv4/ip_forward
<<<<< End of iptables rules extract >>>>>
_______________________________________________
Linux-HA mailing list
[email protected]
http://lists.linux-ha.org/mailman/listinfo/linux-ha
See also: http://linux-ha.org/ReportingProblems

[Linux-HA] Surprising behaviour of heartbeat + iptables

Reply via email to