|
On Tue, Jul 29, 2014 at 08:55:16AM -0600, Lloyd Brown wrote:
> Date: Tue, 29 Jul 2014 08:55:16 -0600
> From: Lloyd Brown <lloyd_brown@xxxxxxx>
> To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Subject: Re: [lvs-users] TCP Connection Sync Problems RHEL
> List-Id: "LinuxVirtualServer.org users mailing list."
> <lvs-users.linuxvirtualserver.org>
> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101
> Thunderbird/31.0
> Content-Transfer-Encoding: 7bit
>
> Okay. I'm not sure this is the best approach, but adding a simple
> iptables rule for each of the VIPs, to accept any traffic, seems to fix
> the issue of it being stuck in ESTABLISHED.
>
> Thanks again for pointing me in the right direction. One of these days
> I'll have to remember that tcpdump sees packets before iptables, while
> everything else happens after iptables rules are applied.
>
> For anyone else looking at this thread in the archives, here's the total
> list of modifications in the /etc/sysconfig/iptables, from the stock
> RHEL 6.5 setup, that seem to get it working; be sure to substitute in
> the correct values for DIR1IP, DIR2IP, VIP1, and VIP2:
>
> > #VRRP multicast for keepalived
> > -A INPUT -d 224.0.0.18/32 -s DIR1IP/32 -j ACCEPT
> > -A INPUT -d 224.0.0.18/32 -s DIR2IP/32 -j ACCEPT
> > #IPVS connection syncing for keepalived
> > -A INPUT -d 224.0.0.81/32 -s DIR1IP/32 -j ACCEPT
> > -A INPUT -d 224.0.0.81/32 -s DIR2IP/32 -j ACCEPT
> > #All connections for virtual IPs (VIP1 and VIP2)
> > -A INPUT -d VIP1/32 -j ACCEPT
> > -A INPUT -d VIP2/32 -j ACCEPT
>
>
>
> Lloyd Brown
> Systems Administrator
> Fulton Supercomputing Lab
> Brigham Young University
> http://marylou.byu.edu
>
> On 07/29/2014 08:40 AM, Lloyd Brown wrote:
> > Frank,
> >
> > Okay. So disabling SELinux didn't seem to have any effect. But adding
> > iptables rules like these (from /etc/sysconfig/iptables), seemed to get
> > the connection information syncing between directors:
> >
> >> #IPVS connection syncing for keepalived
> >> -A INPUT -d 224.0.0.81/32 -s 192.168.25.9/32 -j ACCEPT
> >> -A INPUT -d 224.0.0.81/32 -s 192.168.25.10/32 -j ACCEPT
> >
> > In this state the connections are still getting stuck in the ESTABLISHED
> > state, instead of transitioning to FIN_WAIT. But when I flush the
> > iptables entirely ("iptables -F" or "service iptables stop"), they seem
> > to transition correctly.
> >
> > In general, I don't like the idea of leaving the iptables completely
> > empty, so I guess I'll have to figure out what specific traffic is
> > getting blocked, that is causing the connections to get stuck in
> > ESTABLISHED. If anyone has any pointers on that one, I'd be glad to
> > hear it.
> >
> > Thanks again for the help,
> >
> > Lloyd Brown
> > Systems Administrator
> > Fulton Supercomputing Lab
> > Brigham Young University
> > http://marylou.byu.edu
> >
> > On 07/29/2014 08:22 AM, Lloyd Brown wrote:
> >> Frank,
> >>
> >> I hadn't thought about SELinux, but I'll check on that. I'm assuming
> >> that the firewall isn't a problem, since I captured the packets on the
> >> backup director. But I'll test both of those, and report back.
> >>
> >> All the communication between servers (both keepalived's VRRP, and the
> >> IPVS connection sync) is going over Ethernet. Since this is a test
> >> environment, both directors (and the realserver) are actually VMWare
> >> Virtual Machines.
> >>
> >>
> >>
> >> Lloyd Brown
> >> Systems Administrator
> >> Fulton Supercomputing Lab
> >> Brigham Young University
> >> http://marylou.byu.edu
> >>
> >> On 07/28/2014 11:26 PM, Frank Kirschner wrote:
> >>> Hi Lloyd,
> >>>
> >>> do you have disables SELinux for the RHEL hosts? By the way: also set the
> >>> firewall to accept all (later if all is working you should set up a
> >>> firewall
> >>> of cause)
> >>>
> >>> I wich way you communicate the keepalived between the two directors? Over
> >>> Ethernet or serial cable?
> >>>
> >>> best regards
> >>> Frank
> >>>
> >>> mfg
> >>> Frank Kirschner
You shouldn't need anything beyond:
-A INPUT -p vrrp -j ACCEPT
to get keepalived communication working. To allow VRRP traffic for the
Keepalived service to function:
# /sbin/iptables -I INPUT -p vrrp -j ACCEPT
# /sbin/service iptables save
one could also tighten down the source and destination as well. Also,
since this is RHEL, please feel free to reach out to your Red Hat
support representatives in case there is something else that needs
investigating in your particular environment.
--
Thanks,
Brandon
pgpY0IYtG47Ro.pgp
Description: PGP signature
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
|
