[DRBD-user] creating iptables rules for a fallback cluster(ha, drbd, xen, lvm)

Heiko rupertt at gmail.com
Mon Aug 18 15:23:07 CEST 2008

Note: "permalinks" may not be as permanent as we would like,
direct links of old sources may well be a few messages off.

Hello,
im trying to create some rules that allow my VM to do theyre service
and allow heartbeat to talk to each other.
I tried some rules, but never got anything working.
Heartbeat and drbd use eth1, which is connected directly to the other
machine, so I can allow all traffic on eth1
I got the most rules from iptables-save.
eth0.901 is a VLAN which is used for monitoring.
eth0 has an external IP Address, so it should only allow ssh, but I
need the VM to access the
external space, all the VM have also external IP and are in the VLAN


*nat
:PREROUTING ACCEPT [207281:15610055]
:POSTROUTING ACCEPT [559:40285]
:OUTPUT ACCEPT [560:40325]
-A POSTROUTING -s 192.168.122.0/255.255.255.0 -j MASQUERADE
-A POSTROUTING -s 192.168.48.0/255.255.252.0 -j MASQUERADE
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -i eth0 -m tcp -p tcp
--dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth1 -o eth1 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth1 -o eth1 -j ACCEPT
-A RH-Firewall-1-INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A RH-Firewall-1-INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -i eth0.901 -m tcp -p tcp
--dport 5666 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -i eth0.901 -m tcp -p tcp
--dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -i eth0.901 -m udp -p udp
--dport 161 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -i eth0 -m udp -p udp
--dport 694 -j ACCEPT
-A RH-Firewall-1-INPUT -d 192.168.122.0/255.255.255.0 -o virbr0 -m
state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.122.0/255.255.255.0 -i virbr0 -j ACCEPT
-A RH-Firewall-1-INPUT -d 192.168.48.0/255.255.252.0 -o virbr0 -m
state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.48.0/255.255.252.0 -i virbr0 -j ACCEPT
-A RH-Firewall-1-INPUT -i virbr0 -o virbr0 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
-A RH-Firewall-1-INPUT -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -m physdev  --physdev-in vif1.0 -j ACCEPT
-A RH-Firewall-1-INPUT -m physdev  --physdev-in vif3.0 -j ACCEPT
-A RH-Firewall-1-INPUT -m physdev  --physdev-in vif4.0 -j ACCEPT
COMMIT



I tried the above rule, after that heartbeat on the other machine went
a bit crazy and is, after stopping iptables, still
filling my log with "heartbeat[13861]: 2008/08/18_13:21:31 debug: Auto
failback delayed"

can someone point me to some better rules?

cheers

Rupert

More information about the drbd-user mailing list