[ULTRAMONKEY-USERS] iptables + ldirectord
Gabriel Angel Möll Ibacache
gabriel.moll at gmail.com
Tue Aug 11 03:13:07 EST 2009
Hello,
I'm trying to configure heartbeat + ldirectord + iptables. All works
fine with only NAT iptables rule, but when I try to change policy to
DROP and set the iptables rules for permiting traffic from and to
heartbeat and from and to the services defined in ldirectord.cf.
Here is the heartbeat and iptables config:
[root at bal1 root]# cat /etc/ha.d/ldirectord.cf
checktimeout=60
checkinterval=10
autoreload=yes
logfile="/var/log/ldirectord.log"
quiescent=yes
# Balanceo SSH
virtual=192.168.1.186:60000
real=10.100.0.11:22 masq 100
real=10.100.0.14:22 masq 100
scheduler=rr
checktype=connect
protocol=tcp
checktimeout=60
[root at bal1 root]# cat /etc/ha.d/haresources
bal1 IPaddr2::192.168.1.186/24/eth0/192.168.1.255 \
IPaddr2::10.100.0.1/24/eth1/10.100.0.255 \
ldirectord::/etc/ha.d/ldirectord.cf \
iptables \
LVSSyncDaemonSwap::master::eth1
IPTABLES RULES
#!/bin/sh
## Habilito IP FORWARDING
echo 1 > /proc/sys/net/ipv4/ip_forward
## Variables
DEFAULT_POLICY="DROP"
MULTICAST_IP="225.0.0.1" # multicast IP
IFACE1="eth0" # NIC WAN
IFACE2="eth1" # NIC LAN
IP_BAL1="192.168.1.184" # load balancer 1
IP_BAL2="192.168.1.185" # load balancer 2
IP_VIP="192.168.1.186" # VIP
MCAST_IFACE_IP1="10.100.0.11" # LAN host 1
MCAST_IFACE_IP2="10.100.0.14" # LAN host 2
MCAST_PORT1="694" # mcast port 1
SSH_PORT_EXT="60000" # SSH port externo
SSH_PORT_IN="22" # SSH port interno
echo -n Aplicando Reglas de Firewall...
## FLUSH de reglas
iptables -F
iptables -X
iptables -Z
iptables -t nat -F
## Politicas por defecto
iptables -P INPUT $DEFAULT_POLICY
iptables -P OUTPUT $DEFAULT_POLICY
iptables -P FORWARD $DEFAULT_POLICY
# iptables -t nat -P PREROUTING $DEFAULT_POLICY
# iptables -t nat -P POSTROUTING $DEFAULT_POLICY
# Permite el trafico por el loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Permito conexiones SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --sport 22 -j ACCEPT
# Dejo pasar los paquetes ICMP
iptables -A INPUT -i eth0 -p ICMP -j ACCEPT
iptables -A OUTPUT -o eth0 -p ICMP -j ACCEPT
iptables -A INPUT -i eth1 -p ICMP -j ACCEPT
iptables -A OUTPUT -o eth1 -p ICMP -j ACCEPT
## NAT
iptables -t nat -A POSTROUTING -p tcp -j SNAT --to-source $IP_VIP
# Multicast uses UDP.
iptables -A INPUT -d $MULTICAST_IP -j ACCEPT
iptables -A INPUT -p udp -m udp --dport $MCAST_PORT1 -j ACCEPT
iptables -A OUTPUT -p udp -d $MULTICAST_IP -s $IP_BAL1 -o $IFACE1
--dport $MCAST_PORT1 -j ACCEPT
iptables -A OUTPUT -p udp -d $MULTICAST_IP -s $IP_BAL2 -o $IFACE1
--dport $MCAST_PORT1 -j ACCEPT
iptables -A OUTPUT -p udp -d $MULTICAST_IP -s $MCAST_IFACE_IP1 -o
$IFACE2 --dport $MCAST_PORT1 -j ACCEPT
## Servicios
# Conexiones SSH a la VIP
iptables -A INPUT -i eth0 -p tcp --dport $SSH_PORT_EXT -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport $SSH_PORT_EXT -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport $SSH_PORT_EXT -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport $SSH_PORT_EXT -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport $SSH_PORT_IN -j ACCEPT
iptables -A OUTPUT -o eth1 -p tcp --sport $SSH_PORT_IN -j ACCEPT
iptables -A OUTPUT -o eth1 -p tcp --dport $SSH_PORT_IN -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --sport $SSH_PORT_IN -j ACCEPT
##
echo " OK . Verifique que lo que se aplica con: iptables -L -n"
# Fin del script
#
############################################
Sin otro particular se despide,
Gabriel Möll Ibacache
Ingeniero Civil en Computación
More information about the Ultramonkey-users
mailing list