- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - Linux
- >
- RHCS & iptables, can they live together
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-20-2006 07:47 AM
04-20-2006 07:47 AM
RHCS & iptables, can they live together
It works great, has four complex services that fail over very, very nicely under all possible scenarios.
The I introduce iptables and it stops working.
I've got the private heartbeat lan, a reverse cable between to nics's wide open on all ports.
I have the 192.168.0.0 lan wide open on all ports in iptables.
The default on input output and forward is to drop.
I've added port 694 to the list of ports to permit.
My cluster sits behind a hardware firewal that is battle tested and does not permit any access on non-configured port. Its a web cluster so port 80, 443 and a few others are open on the hardware firewall.
I'd like to be able to add users that wish to abuse port 80, not to the hardware firewall which has limited configuration capabilities, but to ipables.
Two lines of defense are always better than one line of defense. Right?
RH 4 update 3 RHCS is fully up to date.
I see my options as:
1) Don't use iptables. I can go prod like this, it doesn't matter but it would be nice to make iptables play with RHCS.
2) Change the default policy to a more permissive policy. Don't know what that would be.
3) Replace the hardware firewall with something smarter and more expensive.
4) Find out exactly what ports besides 694 RHCS needs open between nodes to run and fail over properly.
The cluster has 4 floating ip's and no public ips. The firewall owns them.
I'm probably being overly paranoid, but I'd like to run iptables here.
Please let me know if I can and how.
Everyone should know my point policy is generous to itrc folks.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-20-2006 09:15 AM
04-20-2006 09:15 AM
Re: RHCS & iptables, can they live together
As it's a cross-over cable, with no possible public traffic on it, it should be just fine.
Have you watched a TCP dump output on the specific interface to ensure that the heartbeat traffic is actually going out the correct interface, and not routing out something else for whatever reason?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-20-2006 09:35 AM
04-20-2006 09:35 AM
Re: RHCS & iptables, can they live together
Could also be as simple as leaving localhost(duh) off he configuration for my script that generates the code.
That messed a bunch of things up on a non-clustered box today.
Duh.
I'll get back to all.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-20-2006 08:25 PM
04-20-2006 08:25 PM
Re: RHCS & iptables, can they live together
iptables -A OUTPUT -j LOG
iptables -A INPUT -j LOG
iptables -A OUTPUT -j DROP
iptables -A INPUT -j DROP
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
This way I always know what was dropped and I can pinpoint cases where smtg is dropped but it shouldn't be.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-20-2006 10:51 PM
04-20-2006 10:51 PM
Re: RHCS & iptables, can they live together
I was wrong about localhost. It was not the cause of the problem.
I'm going to take this back in my lab, since exerimenting on a couple of servers that go prod in 30 hours is not a good idea.
Going to have to do testing that is more realistic, since merely turning on iptables breaks the cluster.
As far as logging and not dropping, interesting idea, but i prefer no interaction with people using ports I have closed. I close ports for a reason. The default policy is to be a black hole. That sould not interfere with normal operations.
Good contributions, minimum 7 points both.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-20-2006 10:57 PM
04-20-2006 10:57 PM
Re: RHCS & iptables, can they live together
PS: do not forget that you can use -t mangle to add specific rules (either LOG or DROP/REJECT) without cluttering the main filter table and without a need to flush the main table during tests. That is, if you have no other specific need for the mangle table in your firewall.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-24-2006 02:10 AM
04-24-2006 02:10 AM
Re: RHCS & iptables, can they live together
- use a switch to interconnect the cluster
members. That way they won't see a network
disconnect when another cluster member goes
down.
- use a firewall builder like shorewall.
You can easily set the policy on the interface
for the cluster connection to accept and
restrict other interfaces as needed.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-24-2006 04:57 AM
04-24-2006 04:57 AM
Re: RHCS & iptables, can they live together
I found another port the cluster was using and think I can get it to work in the lab. Hopefully at some point, the cluster services won't come down when run the iptables commands.
It might also be the way the script builds the table, which is designed to keep people from poking in while the new configuration is building.
I'll get it and thanks for the great suggestions.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com