[lvs-users] keepalived: LVS-DR split brain w/firewalls up

To:	"LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject:	[lvs-users] keepalived: LVS-DR split brain w/firewalls up
From:	Gerry Reno <greno@xxxxxxxxxxx>
Date:	Sat, 28 Jul 2007 22:53:04 -0400

Ok, I've got my test setup working nicely with no firewalls in place and 
so I decided to bring up the firewalls on all of the machines like we 
would have in production.  Even though I thought I had the right ports 
open it is giving me problems.  Whenever I start keepalived now it 
immediately goes into split brain with both directors going into MASTER 
state.  So I look in the HOWTO and I see discussion about problems for 
directors and firewalls.  It mentions nfct patch for bidirectional LVS 
but LVS-DR in my case is unidirectional.  Is this still the current 
state of affairs?  Are there no rules that I can use to allow the 
firewall to work with uni-LVS-DR?

Here is my firewall on the DIRECTORS:

[root@grp-01-00-50 keepalived]# service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    RH-Firewall-1-INPUT  0    --  0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         
1    REJECT     0    --  0.0.0.0/0            0.0.0.0/0           
reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         

Chain RH-Firewall-1-INPUT (1 references)
num  target     prot opt source               destination         
1    ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0           
2    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp 
type 255
3    ACCEPT     esp  --  0.0.0.0/0            0.0.0.0/0           
4    ACCEPT     ah   --  0.0.0.0/0            0.0.0.0/0           
5    ACCEPT     udp  --  0.0.0.0/0            224.0.0.251         udp 
dpt:5353
6    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp 
dpt:631
7    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp 
dpt:631
8    ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0           state 
RELATED,ESTABLISHED
9    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state 
NEW tcp dpt:22
10   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state 
NEW tcp dpt:443
11   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state 
NEW tcp dpt:80
12   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state 
NEW tcp dpts:1010:1023
13   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state 
NEW tcp dpt:904
14   REJECT     0    --  0.0.0.0/0            0.0.0.0/0           
reject-with icmp-host-prohibited


And here is my firewall on the REAL SERVERS:

[root@grp-01-30-50 opt]# service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination        
1    RH-Firewall-1-INPUT  0    --  0.0.0.0/0            0.0.0.0/0          

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination        
1    REJECT     0    --  0.0.0.0/0            0.0.0.0/0           
reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination        

Chain RH-Firewall-1-INPUT (1 references)
num  target     prot opt source               destination        
1    ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0          
2    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp 
type 255
3    ACCEPT     esp  --  0.0.0.0/0            0.0.0.0/0          
4    ACCEPT     ah   --  0.0.0.0/0            0.0.0.0/0          
5    ACCEPT     udp  --  0.0.0.0/0            224.0.0.251         udp 
dpt:5353
6    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp 
dpt:631
7    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp 
dpt:631
8    ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0           state 
RELATED,ESTABLISHED
9    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state 
NEW tcp dpt:22
10   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state 
NEW tcp dpt:443
11   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state 
NEW tcp dpt:80
12   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state 
NEW tcp dpt:514
13   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state 
NEW tcp dpt:6996
14   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state 
NEW tcp dpt:904
15   REJECT     0    --  0.0.0.0/0            0.0.0.0/0           
reject-with icmp-host-prohibited


Thanks,
Gerry

<Prev in Thread]	Current Thread	[Next in Thread>
[lvs-users] keepalived: LVS-DR split brain w/firewalls up, Gerry Reno <= Re: [lvs-users] keepalived: LVS-DR split brain w/firewalls up, Joseph Mack NA3T Re: [lvs-users] keepalived: LVS-DR split brain w/firewalls up, Gerry Reno Re: [lvs-users] keepalived: LVS-DR split brain w/firewalls up, Joseph Mack NA3T Re: [lvs-users] keepalived: LVS-DR split brain w/firewalls up, Gerry Reno Re: [lvs-users] keepalived: LVS-DR split brain w/firewalls up, Graeme Fowler Re: [lvs-users] keepalived: LVS-DR split brain w/firewalls up, Graeme Fowler Re: [lvs-users] keepalived: LVS-DR split brain w/firewalls up, Gerry Reno Re: [lvs-users] keepalived: LVS-DR split brain w/firewalls up, Graeme Fowler Re: [lvs-users] keepalived: LVS-DR split brain w/firewalls up, Gerry Reno

Previous by Date:	[lvs-users] keepalived: multiple declarations, Gerry Reno
Next by Date:	Re: [lvs-users] keepalived: LVS-DR split brain w/firewalls up, Joseph Mack NA3T
Previous by Thread:	[lvs-users] keepalived: multiple declarations, Gerry Reno
Next by Thread:	Re: [lvs-users] keepalived: LVS-DR split brain w/firewalls up, Joseph Mack NA3T
Indexes:	[Date] [Thread] [Top] [All Lists]