|
On Sun, 2007-07-29 at 13:51 -0400, Gerry Reno wrote:
> iptables: MASTER and BACKUP DIRECTORS:
> Table: filter
> Chain INPUT (policy ACCEPT)
> num target prot opt source destination
> 1 RH-Firewall-1-INPUT 0 -- 0.0.0.0/0 0.0.0.0/0
>
> Chain FORWARD (policy ACCEPT)
> num target prot opt source destination
> 1 REJECT 0 -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
>
> Chain OUTPUT (policy ACCEPT)
> num target prot opt source destination
> 1 ACCEPT 0 -- 224.0.0.0/8 0.0.0.0/0
> 2 ACCEPT 0 -- 0.0.0.0/0 224.0.0.0/8
>
> Chain RH-Firewall-1-INPUT (1 references)
> num target prot opt source destination
> 1 ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0
> 2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255
> 3 ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
> 4 ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0
> 5 ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353
> 6 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:631
> 7 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:631
> 8 ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
> 9 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
> 10 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
> 11 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
> 12 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpts:1010:1023
> 13 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:904
> 14 REJECT 0 -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
> 15 ACCEPT 0 -- 224.0.0.0/8 0.0.0.0/0
> 16 ACCEPT 0 -- 0.0.0.0/0 224.0.0.0/8
>
>
> Again, when director firewalls are down everything works great; when
> they are up we get split brain.
You need rules 15 & 16 *before* rule 14. The REJECT should be the last
one in the set.
Graeme
|
