Hi Dejan Many thanks, I will look into that specific proposal (disabling NAT for UDP sounds as great an option... ;))
Regarding the ha.cf hb messages, I use unicast ;) I'll take that into account too. Anyhow, I'll get back to you with any feedback. Regards, Niko. 2008/12/11 Dejan Muhamedagic <[EMAIL PROTECTED]> > Hi, > > On Thu, Dec 11, 2008 at 01:59:14PM +0100, Niko wrote: > > Hi all, > > > > This might be either quick or a wonder. > > > > OS: RHEL v4.0 > > Heartbeat version: 2.0.8 (no chance to update it for the moment, though I > am > > working on it). > > > > I have found out the following behaviour which surprises me a bit. > > > > Basically, I have an A/P linux-ha cluster, with two nodes, each an > iptables. > > Both nodes have two interfaces (.26.* is external, .45.* is internal, not > > that it does actually matter). > > Both nodes have iptables rules to ensure NAT, and pretty secure traffic. > > > > While both nodes are in the cluster, everything seems ok. crm_mon shows > up > > with everything fine. > > If I shut down the active node, all goes fine. > > Passive node takes up resources ok. > > > > The next step would be to fix the "failed" node, and once fixed, startup > > again heartbeat. THIS doesn't work. > > No way the node joins again the cluster. > > BUT if I flush the normal iptables rules (iptables -F, iptables -X, > iptables > > -Z), ON BOTH NODES, it still doesn't seem to work. > > I have to flush the NAT rules AS WELL to be successful at joining again > the > > node into the cluster. > > > > Now my question is: How can the NAT rules affect the joining or not the > > cluster? > > > Then a weird thing happens when shutting down the ha services: if done > > orderly, /etc/init.d/heartbeat stop, it doesn't work. > > If I flush Firewall rules, on BOTH nodes, then only may it work. > > > > The problem is, under nominal circumstance, I would need to keep the NAT > > rules up and running at all times, using the cluster IP... > > I put down these lines the iptables config script. I am pretty sure it is > an > > iptables issue... > > > > I'm sorry to say I don't have the logs here, but I'm sure you experts > could > > find an error on the IPTABLES config I am still missing :S > > > > If logs are needed, or cib.xml, or ha.cf, etc... I could provide it at a > > later time only... > > Can you disable NAT for the UDP traffic (if you don't need that) > and see if that helps. You can also try with different hb media: > ucast, bcast, mcast (see ha.cf). My only guess is that iptables > somehow mangle heartbeat packets (IP/UDP). > > Thanks, > > Dejan > > > Thanks in advance to you all :) > > > > Nicolas. > > > --------------------------------------------------------------------------------------------------------- > > Nodes config: > > fw1: extIP: 192.168.26.135 > > intIP: 192.156.45.135 > > fw2: extIP: 192.168.26.243 > > intIP: 192.168.45.243 > > Cluster IP: > > On external interface: eth1: 192.168.26.100 > > On internal interface: eth0: 192.168.45.1 > > > --------------------------------------------------------------------------------------------------------- > > > > <<< iptables script (extract of iptables rules only) launched on any of > the > > nodes startup >>> > > $IPTABLES --flush > > $IPTABLES -t nat --flush > > $IPTABLES -P OUTPUT DROP > > $IPTABLES -P INPUT DROP > > $IPTABLES -P FORWARD DROP > > $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > > > > # > > # NAT Needed > > # > > $IPTABLES -t nat -A POSTROUTING -o eth1 -s 192.168.45.252 -j SNAT > > --to-source 192.168.26.100 > > $IPTABLES -t nat -A POSTROUTING -o eth1 -s 192.168.45.244 -j SNAT > > --to-source 192.168.26.100 > > $IPTABLES -t nat -A POSTROUTING -o eth1 -s 192.168.45.100 -j SNAT > > --to-source 192.168.26.100 > > > > # > > # NAT Needed > > # > > $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -m multiport -d > > 192.168.26.100 --dports 8880,8887 -j DNAT --to-destination > 192.168.45.100 > > > > # > > # anti spoofing rule > > # > > $IPTABLES -N In_RULE_0 > > $IPTABLES -A INPUT -i eth1 -s 192.168.26.100 -j In_RULE_0 > > $IPTABLES -A INPUT -i eth1 -s 192.168.45.1 -j In_RULE_0 > > $IPTABLES -A INPUT -i eth1 -s 192.168.45.0/24 -j In_RULE_0 > > $IPTABLES -A FORWARD -i eth1 -s 192.168.26.100 -j In_RULE_0 > > $IPTABLES -A FORWARD -i eth1 -s 192.168.45.1 -j In_RULE_0 > > $IPTABLES -A FORWARD -i eth1 -s 192.168.45.0/24 -j In_RULE_0 > > $IPTABLES -A In_RULE_0 -j LOG --log-level info --log-prefix "RULE 0 -- > > DENY " > > $IPTABLES -A In_RULE_0 -j DROP > > > > # > > # Loopback interface traffic allowed > > # > > $IPTABLES -A INPUT -i lo -m state --state NEW -j ACCEPT > > $IPTABLES -A OUTPUT -o lo -m state --state NEW -j ACCEPT > > > > # > > # SSH Access to firewall is permitted > > # only from internal network. > > # > > $IPTABLES -A INPUT -p tcp -m tcp -s 192.168.45.0/24 --dport 22 -m > state > > --state NEW -j ACCEPT > > > > # > > # Inter-FWs traffic allowed > > # > > $IPTABLES -A INPUT -s 192.168.45.235 -m state --state NEW -j ACCEPT > > $IPTABLES -A INPUT -s 192.168.45.243 -m state --state NEW -j ACCEPT > > # Idem for UDP Traffic > > $IPTABLES -A INPUT -s 192.168.45.235 -p udp -m udp -j ACCEPT > > $IPTABLES -A INPUT -s 192.168.45.243 -p udp -m udp -j ACCEPT > > # Idem for external interface traffic > > $IPTABLES -A INPUT -s 192.168.26.235 -m state --state NEW -j ACCEPT > > $IPTABLES -A INPUT -s 192.168.26.243 -m state --state NEW -j ACCEPT > > # Idem for UDP Traffic > > $IPTABLES -A INPUT -s 192.168.26.235 -p udp -m udp -j ACCEPT > > $IPTABLES -A INPUT -s 192.168.26.243 -p udp -m udp -j ACCEPT > > > > # > > # Inter-FWs traffic allowed > > # > > $IPTABLES -A OUTPUT -d 192.168.45.235 -m state --state NEW -j ACCEPT > > $IPTABLES -A OUTPUT -d 192.168.45.243 -m state --state NEW -j ACCEPT > > # Idem for UDP Traffic > > $IPTABLES -A OUTPUT -d 192.168.45.235 -p udp -m udp -j ACCEPT > > $IPTABLES -A OUTPUT -d 192.168.45.243 -p udp -m udp -j ACCEPT > > # Idem for external interface traffic > > $IPTABLES -A OUTPUT -s 192.168.26.235 -m state --state NEW -j ACCEPT > > $IPTABLES -A OUTPUT -s 192.168.26.243 -m state --state NEW -j ACCEPT > > # Idem for UDP Traffic > > $IPTABLES -A OUTPUT -d 192.168.26.235 -p udp -m udp -j ACCEPT > > $IPTABLES -A OUTPUT -d 192.168.26.243 -p udp -m udp -j ACCEPT > > > > # > > # Inter-FWs traffic allowed > > # > > $IPTABLES -A FORWARD -d 192.168.45.235 -m state --state NEW -j ACCEPT > > $IPTABLES -A FORWARD -d 192.168.45.243 -m state --state NEW -j ACCEPT > > # Idem for UDP Traffic > > $IPTABLES -A FORWARD -d 192.168.45.235 -p udp -m udp -j ACCEPT > > $IPTABLES -A FORWARD -d 192.168.45.243 -p udp -m udp -j ACCEPT > > # Idem for external interface traffic > > $IPTABLES -A FORWARD -s 192.168.26.235 -m state --state NEW -j ACCEPT > > $IPTABLES -A FORWARD -s 192.168.26.243 -m state --state NEW -j ACCEPT > > # Idem for UDP Traffic > > $IPTABLES -A FORWARD -d 192.168.26.235 -p udp -m udp -j ACCEPT > > $IPTABLES -A FORWARD -d 192.168.26.243 -p udp -m udp -j ACCEPT > > > > # > > # NTP Traffic Permission > > # > > $IPTABLES -A OUTPUT -d 192.168.45.227 -m state --state NEW -j ACCEPT > > $IPTABLES -A INPUT -p udp -m udp -s 192.168.45.227 --dport 123 -m > state > > --state NEW -j ACCEPT > > > > # > > $IPTABLES -A OUTPUT -d 192.168.45.252 -m state --state NEW -j ACCEPT > > $IPTABLES -A OUTPUT -d 192.168.45.244 -m state --state NEW -j ACCEPT > > $IPTABLES -A OUTPUT -d 192.168.45.100 -m state --state NEW -j ACCEPT > > > > # > > $IPTABLES -A INPUT -s 192.168.45.252 -m state --state NEW -j ACCEPT > > $IPTABLES -A INPUT -s 192.168.45.244 -m state --state NEW -j ACCEPT > > $IPTABLES -A INPUT -s 192.168.45.100 -m state --state NEW -j ACCEPT > > > > # > > # All other attempts to connect to > > # the firewall are denied and logged > > # > > $IPTABLES -N RULE_11 > > $IPTABLES -A OUTPUT -d 192.168.26.100 -j RULE_11 > > $IPTABLES -A OUTPUT -d 192.168.45.1 -j RULE_11 > > $IPTABLES -A INPUT -j RULE_11 > > $IPTABLES -A RULE_11 -j LOG --log-level info --log-prefix "RULE 11 -- > DENY > > " > > $IPTABLES -A RULE_11 -j DROP > > > > # > > # Ensure IP FORWARD > > # > > echo 1 > /proc/sys/net/ipv4/ip_forward > > <<<<< End of iptables rules extract >>>>> > > _______________________________________________ > > Linux-HA mailing list > > [email protected] > > http://lists.linux-ha.org/mailman/listinfo/linux-ha > > See also: http://linux-ha.org/ReportingProblems > _______________________________________________ > Linux-HA mailing list > [email protected] > http://lists.linux-ha.org/mailman/listinfo/linux-ha > See also: http://linux-ha.org/ReportingProblems > _______________________________________________ Linux-HA mailing list [email protected] http://lists.linux-ha.org/mailman/listinfo/linux-ha See also: http://linux-ha.org/ReportingProblems
