LVS
lvs-users
[Top] [All Lists]
Google
 
Web LinuxVirtualServer.org
<prev [Date] next> <prev [Thread] next>

Re: Strange behavior

from [Sébastien BONNET] [Permanent Link]
To: "LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: Strange behavior
From: Sébastien BONNET <sebastien.bonnet@xxxxxxxxxxx>
Date: Wed, 19 Apr 2006 10:01:51 +0200 
Thank you guys for those answers but...
i tried both iptables -A INPUT -p tcp --dport 112 -j ACCEPT 
iptables -A INPUT -p udp --dport 112 -j ACCEPT
iptables -A INPUT -s 224.0.0.0/8 -j ACCEPT
It's PROTOCOL 112 (vrrp), not PORT 112. You also need protocol igmp (don't ask why). 

You have to allow both incoming and outgoing adverts :

-A INPUT -j ACCEPT -i eth0 -p vrrp -s X.Y.Z.0/24 -d 224.0.0.0/8
-A INPUT -j ACCEPT -i eth0 -p igmp -s X.Y.Z.0/24 -d 224.0.0.0/8

-A OUTPUT -j ACCEPT -o eth0 -p vrrp -s X.Y.Z.0/24 -d 224.0.0.0/8
-A OUTPUT -j ACCEPT -o eth0 -p igmp -s X.Y.Z.0/24 -d 224.0.0.0/8
To be more precise, a tcpdump shows the multicast address is 224.0.0.18 is you want to be more restrictive.
Don't forget to allow the trafic needed by keepalived to test your real servers. In my case, it looks like this : 

-A INPUT -j ACCEPT -i eth0 -p tcp --dport http  -m state --state NEW
-A OUTPUT -j ACCEPT -o eth0 -p tcp -m state --state NEW --dports http -d 10.11.0.0/16 


Regards,

--
Sébastien BONNET     --    Ingénieur système
Tel: 04.42.25.15.40      GSM: 06.64.44.58.98
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: DoS protection strategies, Ken Brownfield
Next by Date:  Re: DoS protection strategies, Roberto Nibali
Previous by Thread:  Re: Strange behavior, Todd Lyons
Next by Thread:  LVS-TUN and firewall on nodes, Olivier Bonvalet
Indexes:  [Date] [Thread] [Top] [All Lists]