LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: [lvs-users] keepalived: LVS-DR split brain w/firewalls up

To: "LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: [lvs-users] keepalived: LVS-DR split brain w/firewalls up
From: Graeme Fowler <graeme@xxxxxxxxxxx>
Date: Sun, 29 Jul 2007 19:56:30 +0100
On Sun, 2007-07-29 at 13:51 -0400, Gerry Reno wrote:
> iptables: MASTER and BACKUP DIRECTORS:
> Table: filter
> Chain INPUT (policy ACCEPT)
> num target prot opt source destination
> 1 RH-Firewall-1-INPUT 0 -- 0.0.0.0/0 0.0.0.0/0
> 
> Chain FORWARD (policy ACCEPT)
> num target prot opt source destination
> 1 REJECT 0 -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
> 
> Chain OUTPUT (policy ACCEPT)
> num target prot opt source destination
> 1 ACCEPT 0 -- 224.0.0.0/8 0.0.0.0/0
> 2 ACCEPT 0 -- 0.0.0.0/0 224.0.0.0/8
> 
> Chain RH-Firewall-1-INPUT (1 references)
> num target prot opt source destination
> 1 ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0
> 2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255
> 3 ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
> 4 ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0
> 5 ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353
> 6 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:631
> 7 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:631
> 8 ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
> 9 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
> 10 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
> 11 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
> 12 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpts:1010:1023
> 13 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:904
> 14 REJECT 0 -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
> 15 ACCEPT 0 -- 224.0.0.0/8 0.0.0.0/0
> 16 ACCEPT 0 -- 0.0.0.0/0 224.0.0.0/8
> 
> 
> Again, when director firewalls are down everything works great; when 
> they are up we get split brain.

You need rules 15 & 16 *before* rule 14. The REJECT should be the last
one in the set.

Graeme



<Prev in Thread] Current Thread [Next in Thread>