Hi, On Thu, Dec 11, 2008 at 01:59:14PM +0100, Niko wrote: > Hi all, > > This might be either quick or a wonder. > > OS: RHEL v4.0 > Heartbeat version: 2.0.8 (no chance to update it for the moment, though I am > working on it). > > I have found out the following behaviour which surprises me a bit. > > Basically, I have an A/P linux-ha cluster, with two nodes, each an iptables. > Both nodes have two interfaces (.26.* is external, .45.* is internal, not > that it does actually matter). > Both nodes have iptables rules to ensure NAT, and pretty secure traffic. > > While both nodes are in the cluster, everything seems ok. crm_mon shows up > with everything fine. > If I shut down the active node, all goes fine. > Passive node takes up resources ok. > > The next step would be to fix the "failed" node, and once fixed, startup > again heartbeat. THIS doesn't work. > No way the node joins again the cluster. > BUT if I flush the normal iptables rules (iptables -F, iptables -X, iptables > -Z), ON BOTH NODES, it still doesn't seem to work. > I have to flush the NAT rules AS WELL to be successful at joining again the > node into the cluster. > > Now my question is: How can the NAT rules affect the joining or not the > cluster?
> Then a weird thing happens when shutting down the ha services: if done > orderly, /etc/init.d/heartbeat stop, it doesn't work. > If I flush Firewall rules, on BOTH nodes, then only may it work. > > The problem is, under nominal circumstance, I would need to keep the NAT > rules up and running at all times, using the cluster IP... > I put down these lines the iptables config script. I am pretty sure it is an > iptables issue... > > I'm sorry to say I don't have the logs here, but I'm sure you experts could > find an error on the IPTABLES config I am still missing :S > > If logs are needed, or cib.xml, or ha.cf, etc... I could provide it at a > later time only... Can you disable NAT for the UDP traffic (if you don't need that) and see if that helps. You can also try with different hb media: ucast, bcast, mcast (see ha.cf). My only guess is that iptables somehow mangle heartbeat packets (IP/UDP). Thanks, Dejan > Thanks in advance to you all :) > > Nicolas. > --------------------------------------------------------------------------------------------------------- > Nodes config: > fw1: extIP: 192.168.26.135 > intIP: 192.156.45.135 > fw2: extIP: 192.168.26.243 > intIP: 192.168.45.243 > Cluster IP: > On external interface: eth1: 192.168.26.100 > On internal interface: eth0: 192.168.45.1 > --------------------------------------------------------------------------------------------------------- > > <<< iptables script (extract of iptables rules only) launched on any of the > nodes startup >>> > $IPTABLES --flush > $IPTABLES -t nat --flush > $IPTABLES -P OUTPUT DROP > $IPTABLES -P INPUT DROP > $IPTABLES -P FORWARD DROP > $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > > # > # NAT Needed > # > $IPTABLES -t nat -A POSTROUTING -o eth1 -s 192.168.45.252 -j SNAT > --to-source 192.168.26.100 > $IPTABLES -t nat -A POSTROUTING -o eth1 -s 192.168.45.244 -j SNAT > --to-source 192.168.26.100 > $IPTABLES -t nat -A POSTROUTING -o eth1 -s 192.168.45.100 -j SNAT > --to-source 192.168.26.100 > > # > # NAT Needed > # > $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -m multiport -d > 192.168.26.100 --dports 8880,8887 -j DNAT --to-destination 192.168.45.100 > > # > # anti spoofing rule > # > $IPTABLES -N In_RULE_0 > $IPTABLES -A INPUT -i eth1 -s 192.168.26.100 -j In_RULE_0 > $IPTABLES -A INPUT -i eth1 -s 192.168.45.1 -j In_RULE_0 > $IPTABLES -A INPUT -i eth1 -s 192.168.45.0/24 -j In_RULE_0 > $IPTABLES -A FORWARD -i eth1 -s 192.168.26.100 -j In_RULE_0 > $IPTABLES -A FORWARD -i eth1 -s 192.168.45.1 -j In_RULE_0 > $IPTABLES -A FORWARD -i eth1 -s 192.168.45.0/24 -j In_RULE_0 > $IPTABLES -A In_RULE_0 -j LOG --log-level info --log-prefix "RULE 0 -- > DENY " > $IPTABLES -A In_RULE_0 -j DROP > > # > # Loopback interface traffic allowed > # > $IPTABLES -A INPUT -i lo -m state --state NEW -j ACCEPT > $IPTABLES -A OUTPUT -o lo -m state --state NEW -j ACCEPT > > # > # SSH Access to firewall is permitted > # only from internal network. > # > $IPTABLES -A INPUT -p tcp -m tcp -s 192.168.45.0/24 --dport 22 -m state > --state NEW -j ACCEPT > > # > # Inter-FWs traffic allowed > # > $IPTABLES -A INPUT -s 192.168.45.235 -m state --state NEW -j ACCEPT > $IPTABLES -A INPUT -s 192.168.45.243 -m state --state NEW -j ACCEPT > # Idem for UDP Traffic > $IPTABLES -A INPUT -s 192.168.45.235 -p udp -m udp -j ACCEPT > $IPTABLES -A INPUT -s 192.168.45.243 -p udp -m udp -j ACCEPT > # Idem for external interface traffic > $IPTABLES -A INPUT -s 192.168.26.235 -m state --state NEW -j ACCEPT > $IPTABLES -A INPUT -s 192.168.26.243 -m state --state NEW -j ACCEPT > # Idem for UDP Traffic > $IPTABLES -A INPUT -s 192.168.26.235 -p udp -m udp -j ACCEPT > $IPTABLES -A INPUT -s 192.168.26.243 -p udp -m udp -j ACCEPT > > # > # Inter-FWs traffic allowed > # > $IPTABLES -A OUTPUT -d 192.168.45.235 -m state --state NEW -j ACCEPT > $IPTABLES -A OUTPUT -d 192.168.45.243 -m state --state NEW -j ACCEPT > # Idem for UDP Traffic > $IPTABLES -A OUTPUT -d 192.168.45.235 -p udp -m udp -j ACCEPT > $IPTABLES -A OUTPUT -d 192.168.45.243 -p udp -m udp -j ACCEPT > # Idem for external interface traffic > $IPTABLES -A OUTPUT -s 192.168.26.235 -m state --state NEW -j ACCEPT > $IPTABLES -A OUTPUT -s 192.168.26.243 -m state --state NEW -j ACCEPT > # Idem for UDP Traffic > $IPTABLES -A OUTPUT -d 192.168.26.235 -p udp -m udp -j ACCEPT > $IPTABLES -A OUTPUT -d 192.168.26.243 -p udp -m udp -j ACCEPT > > # > # Inter-FWs traffic allowed > # > $IPTABLES -A FORWARD -d 192.168.45.235 -m state --state NEW -j ACCEPT > $IPTABLES -A FORWARD -d 192.168.45.243 -m state --state NEW -j ACCEPT > # Idem for UDP Traffic > $IPTABLES -A FORWARD -d 192.168.45.235 -p udp -m udp -j ACCEPT > $IPTABLES -A FORWARD -d 192.168.45.243 -p udp -m udp -j ACCEPT > # Idem for external interface traffic > $IPTABLES -A FORWARD -s 192.168.26.235 -m state --state NEW -j ACCEPT > $IPTABLES -A FORWARD -s 192.168.26.243 -m state --state NEW -j ACCEPT > # Idem for UDP Traffic > $IPTABLES -A FORWARD -d 192.168.26.235 -p udp -m udp -j ACCEPT > $IPTABLES -A FORWARD -d 192.168.26.243 -p udp -m udp -j ACCEPT > > # > # NTP Traffic Permission > # > $IPTABLES -A OUTPUT -d 192.168.45.227 -m state --state NEW -j ACCEPT > $IPTABLES -A INPUT -p udp -m udp -s 192.168.45.227 --dport 123 -m state > --state NEW -j ACCEPT > > # > $IPTABLES -A OUTPUT -d 192.168.45.252 -m state --state NEW -j ACCEPT > $IPTABLES -A OUTPUT -d 192.168.45.244 -m state --state NEW -j ACCEPT > $IPTABLES -A OUTPUT -d 192.168.45.100 -m state --state NEW -j ACCEPT > > # > $IPTABLES -A INPUT -s 192.168.45.252 -m state --state NEW -j ACCEPT > $IPTABLES -A INPUT -s 192.168.45.244 -m state --state NEW -j ACCEPT > $IPTABLES -A INPUT -s 192.168.45.100 -m state --state NEW -j ACCEPT > > # > # All other attempts to connect to > # the firewall are denied and logged > # > $IPTABLES -N RULE_11 > $IPTABLES -A OUTPUT -d 192.168.26.100 -j RULE_11 > $IPTABLES -A OUTPUT -d 192.168.45.1 -j RULE_11 > $IPTABLES -A INPUT -j RULE_11 > $IPTABLES -A RULE_11 -j LOG --log-level info --log-prefix "RULE 11 -- DENY > " > $IPTABLES -A RULE_11 -j DROP > > # > # Ensure IP FORWARD > # > echo 1 > /proc/sys/net/ipv4/ip_forward > <<<<< End of iptables rules extract >>>>> > _______________________________________________ > Linux-HA mailing list > [email protected] > http://lists.linux-ha.org/mailman/listinfo/linux-ha > See also: http://linux-ha.org/ReportingProblems _______________________________________________ Linux-HA mailing list [email protected] http://lists.linux-ha.org/mailman/listinfo/linux-ha See also: http://linux-ha.org/ReportingProblems
