I've run into a rather interesting problem regarding a firewall rule not working on a new Linux-HA cluster.
I have a single node setup (other node to be added later). Two virtual IPs are handled by Linux-HA on eth0 : 10.0.1.1 and 10.0.1.2 I have a squid proxy listening to port 3128 on eth0 and I redirect port 8080 to 3128 on eth0. The iptables rules: $iptables -t nat -A PREROUTING -d 10.0.1.1 -p tcp --dport 8080 -j REDIRECT --to-port 3128 $iptables -A INPUT -s 10.0.1.0/24 -d 10.0.1.1 -p tcp --dport 3128 -j ACCEPT $iptables -A INPUT -s 10.0.1.0/24 -d 10.0.1.1 -p tcp --dport 8080 -j ACCEPT The problem is that the redirect used to work and still does work if I stop Linux-HA and configure the IPs on the eth0 interface manually but as long as the VIPs are handled by Linux-HA the redirect does not work. When I initiate a connection to the firewall on port 3128 it works. When I try to initiate a connection to the firewall on port 8080 I get an ICMP type 3 reply (port unreachable). If I DNAT port 8080 to 3128 it works but a simple redirect does not work. Is this some sort of ARP issue? Any ideas of how to get a simple iptables REDIRECT working? Thanks Paul _______________________________________________ Linux-HA mailing list [email protected] http://lists.linux-ha.org/mailman/listinfo/linux-ha See also: http://linux-ha.org/ReportingProblems
