Note: "permalinks" may not be as permanent as we would like,
direct links of old sources may well be a few messages off.
Hello, im trying to create some rules that allow my VM to do theyre service and allow heartbeat to talk to each other. I tried some rules, but never got anything working. Heartbeat and drbd use eth1, which is connected directly to the other machine, so I can allow all traffic on eth1 I got the most rules from iptables-save. eth0.901 is a VLAN which is used for monitoring. eth0 has an external IP Address, so it should only allow ssh, but I need the VM to access the external space, all the VM have also external IP and are in the VLAN *nat :PREROUTING ACCEPT [207281:15610055] :POSTROUTING ACCEPT [559:40285] :OUTPUT ACCEPT [560:40325] -A POSTROUTING -s 192.168.122.0/255.255.255.0 -j MASQUERADE -A POSTROUTING -s 192.168.48.0/255.255.252.0 -j MASQUERADE COMMIT *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -i eth0 -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -i eth1 -o eth1 -j ACCEPT -A RH-Firewall-1-INPUT -i eth1 -o eth1 -j ACCEPT -A RH-Firewall-1-INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT -A RH-Firewall-1-INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT -A RH-Firewall-1-INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT -A RH-Firewall-1-INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -i eth0.901 -m tcp -p tcp --dport 5666 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -i eth0.901 -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -i eth0.901 -m udp -p udp --dport 161 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -i eth0 -m udp -p udp --dport 694 -j ACCEPT -A RH-Firewall-1-INPUT -d 192.168.122.0/255.255.255.0 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A RH-Firewall-1-INPUT -s 192.168.122.0/255.255.255.0 -i virbr0 -j ACCEPT -A RH-Firewall-1-INPUT -d 192.168.48.0/255.255.252.0 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A RH-Firewall-1-INPUT -s 192.168.48.0/255.255.252.0 -i virbr0 -j ACCEPT -A RH-Firewall-1-INPUT -i virbr0 -o virbr0 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited -A RH-Firewall-1-INPUT -o virbr0 -j REJECT --reject-with icmp-port-unreachable -A RH-Firewall-1-INPUT -i virbr0 -j REJECT --reject-with icmp-port-unreachable -A RH-Firewall-1-INPUT -m physdev --physdev-in vif1.0 -j ACCEPT -A RH-Firewall-1-INPUT -m physdev --physdev-in vif3.0 -j ACCEPT -A RH-Firewall-1-INPUT -m physdev --physdev-in vif4.0 -j ACCEPT COMMIT I tried the above rule, after that heartbeat on the other machine went a bit crazy and is, after stopping iptables, still filling my log with "heartbeat[13861]: 2008/08/18_13:21:31 debug: Auto failback delayed" can someone point me to some better rules? cheers Rupert