Hi all, I've hit another recent, odd issue. Since adding RRP, I can't start clvmd anymore if the iptables rules are in place. Starting clvmd sits there and eventually times out with rc=5. If I drop iptables, it works perfectly.
From what I understand, clvmd uses dlm and corosync, so it shouldn't need its own ports. Obviously I am wrong though... What ports/protocols are needed for clvmd to work right? It's a RHEL 6.7 box, in case it matters. Here's my 'iptables-save' (10.20.0.0/16 is the back-channel that corosync used to use exclusively. 10.10.0.0/16 is the storage network that corosync's backup ring uses now. 10.255.0.0/16 is the internet-facing network and is not used by anything cluster related): ==== [root@node1 ~]# iptables-save # Generated by iptables-save v1.4.7 on Thu Sep 10 22:12:38 2015 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [50:5318] -A INPUT -s 192.168.122.0/24 -d 192.168.122.0/24 -p tcp -m state --state NEW -m tcp --dport 5900:6000 -j ACCEPT -A INPUT -s 10.20.0.0/16 -d 10.20.0.0/16 -p tcp -m state --state NEW -m tcp --dport 5900:6000 -j ACCEPT -A INPUT -s 10.20.0.0/16 -d 10.20.0.0/16 -p tcp -m tcp --dport 49152:49216 -j ACCEPT -A INPUT -s 10.10.0.0/16 -d 10.10.0.0/16 -p tcp -m tcp --dport 49152:49216 -j ACCEPT -A INPUT -s 10.10.0.0/16 -d 10.10.0.0/16 -p tcp -m state --state NEW -m tcp --dport 7789 -j ACCEPT -A INPUT -s 10.10.0.0/16 -d 10.10.0.0/16 -p tcp -m state --state NEW -m tcp --dport 7788 -j ACCEPT -A INPUT -p igmp -j ACCEPT -A INPUT -s 10.20.0.0/16 -d 10.20.0.0/16 -p tcp -m state --state NEW -m tcp --dport 16851 -j ACCEPT -A INPUT -s 10.10.0.0/16 -d 10.10.0.0/16 -p tcp -m state --state NEW -m tcp --dport 16851 -j ACCEPT -A INPUT -s 10.20.0.0/16 -d 10.20.0.0/16 -p tcp -m state --state NEW -m tcp --dport 11111 -j ACCEPT -A INPUT -s 10.10.0.0/16 -d 10.10.0.0/16 -p tcp -m state --state NEW -m tcp --dport 11111 -j ACCEPT -A INPUT -s 10.20.0.0/16 -d 10.20.0.0/16 -p tcp -m state --state NEW -m tcp --dport 21064 -j ACCEPT -A INPUT -s 10.10.0.0/16 -d 10.10.0.0/16 -p tcp -m state --state NEW -m tcp --dport 21064 -j ACCEPT -A INPUT -s 10.20.0.0/16 -p udp -m addrtype --dst-type MULTICAST -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT -A INPUT -s 10.20.0.0/16 -d 10.20.0.0/16 -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT -A INPUT -s 10.10.0.0/16 -p udp -m addrtype --dst-type MULTICAST -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT -A INPUT -s 10.10.0.0/16 -d 10.10.0.0/16 -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT -A INPUT -s 10.20.0.0/16 -d 10.20.0.0/16 -p udp -m state --state NEW -m udp --dport 123 -j ACCEPT -A INPUT -s 192.168.122.0/24 -d 192.168.122.0/24 -p udp -m state --state NEW -m udp --dport 123 -j ACCEPT -A INPUT -s 10.20.0.0/16 -d 10.20.0.0/16 -p tcp -m state --state NEW -m tcp --dport 5900 -j ACCEPT -A INPUT -s 10.20.0.0/16 -d 10.20.0.0/16 -p tcp -m state --state NEW -m tcp --dport 5800 -j ACCEPT -A INPUT -s 192.168.122.0/24 -d 192.168.122.0/24 -p tcp -m state --state NEW -m tcp --dport 5900 -j ACCEPT -A INPUT -s 192.168.122.0/24 -d 192.168.122.0/24 -p tcp -m state --state NEW -m tcp --dport 5800 -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT # Completed on Thu Sep 10 22:12:38 2015 ==== Any help is appreciated! -- Digimer Papers and Projects: https://alteeve.ca/w/ What if the cure for cancer is trapped in the mind of a person without access to education? _______________________________________________ Users mailing list: [email protected] http://clusterlabs.org/mailman/listinfo/users Project Home: http://www.clusterlabs.org Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf Bugs: http://bugs.clusterlabs.org
