[ULTRAMONKEY-USERS] iptables + ldirectord

Simon Horman horms at verge.net.au
Mon Aug 31 17:24:39 EST 2009 

On Mon, Aug 10, 2009 at 01:13:07PM -0400, Gabriel Angel Möll Ibacache wrote:
> Hello,
> 
> I'm trying to configure heartbeat + ldirectord + iptables. All works
> fine with only NAT iptables rule, but when I try to change policy to
> DROP and set the iptables rules for permiting traffic from and to
> heartbeat and from and to the services defined in ldirectord.cf.

Sorry, I'm not sure that I understand what the problem is.

> 
> Here is the heartbeat and iptables config:
> 
> [root at bal1 root]# cat /etc/ha.d/ldirectord.cf
> checktimeout=60
> checkinterval=10
> autoreload=yes
> logfile="/var/log/ldirectord.log"
> quiescent=yes
> 
> # Balanceo SSH
> virtual=192.168.1.186:60000
>         real=10.100.0.11:22 masq 100
>         real=10.100.0.14:22 masq 100
>         scheduler=rr
>         checktype=connect
>         protocol=tcp
>         checktimeout=60
> 
> [root at bal1 root]# cat /etc/ha.d/haresources
> bal1	IPaddr2::192.168.1.186/24/eth0/192.168.1.255 \
> 	IPaddr2::10.100.0.1/24/eth1/10.100.0.255 \
> 	ldirectord::/etc/ha.d/ldirectord.cf \
> 	iptables \
> 	LVSSyncDaemonSwap::master::eth1
> 
> 
> 
> IPTABLES RULES
> 
> #!/bin/sh
> ## Habilito IP FORWARDING
> echo 1 > /proc/sys/net/ipv4/ip_forward
> ## Variables
> DEFAULT_POLICY="DROP"
> MULTICAST_IP="225.0.0.1"		# multicast IP
> IFACE1="eth0"			# NIC WAN
> IFACE2="eth1"			# NIC LAN
> IP_BAL1="192.168.1.184"			# load balancer 1
> IP_BAL2="192.168.1.185"			# load balancer 2
> IP_VIP="192.168.1.186"			# VIP
> MCAST_IFACE_IP1="10.100.0.11"		# LAN host 1
> MCAST_IFACE_IP2="10.100.0.14"		# LAN host 2
> MCAST_PORT1="694"			# mcast port 1
> SSH_PORT_EXT="60000"			# SSH port externo
> SSH_PORT_IN="22"			# SSH port interno
> echo -n Aplicando Reglas de Firewall...
> ## FLUSH de reglas
> iptables -F
> iptables -X
> iptables -Z
> iptables -t nat -F
> ## Politicas por defecto
> iptables -P INPUT $DEFAULT_POLICY
> iptables -P OUTPUT $DEFAULT_POLICY
> iptables -P FORWARD $DEFAULT_POLICY
> # iptables -t nat -P PREROUTING $DEFAULT_POLICY
> # iptables -t nat -P POSTROUTING $DEFAULT_POLICY
> # Permite el trafico por el loopback
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A OUTPUT -o lo -j ACCEPT
> # Permito conexiones SSH
> iptables -A INPUT -p tcp --dport 22 -j ACCEPT
> iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
> iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
> iptables -A INPUT -p tcp --sport 22 -j ACCEPT
> # Dejo pasar los paquetes ICMP
> iptables -A INPUT -i eth0 -p ICMP -j ACCEPT
> iptables -A OUTPUT -o eth0 -p ICMP -j ACCEPT
> iptables -A INPUT -i eth1 -p ICMP -j ACCEPT
> iptables -A OUTPUT -o eth1 -p ICMP -j ACCEPT
> ## NAT
> iptables -t nat -A POSTROUTING -p tcp -j SNAT --to-source $IP_VIP
> # Multicast uses UDP.
> iptables -A INPUT -d $MULTICAST_IP -j ACCEPT
> iptables -A INPUT -p udp -m udp --dport $MCAST_PORT1 -j ACCEPT
> iptables -A OUTPUT -p udp -d $MULTICAST_IP -s $IP_BAL1 -o $IFACE1
> --dport $MCAST_PORT1 -j ACCEPT
> iptables -A OUTPUT -p udp -d $MULTICAST_IP -s $IP_BAL2 -o $IFACE1
> --dport $MCAST_PORT1 -j ACCEPT
> iptables -A OUTPUT -p udp -d $MULTICAST_IP -s $MCAST_IFACE_IP1 -o
> $IFACE2 --dport $MCAST_PORT1 -j ACCEPT
> ## Servicios
> # Conexiones SSH a la VIP
> iptables -A INPUT -i eth0 -p tcp --dport $SSH_PORT_EXT -j ACCEPT
> iptables -A OUTPUT -o eth0 -p tcp --sport $SSH_PORT_EXT -j ACCEPT
> iptables -A OUTPUT -o eth0 -p tcp --dport $SSH_PORT_EXT -j ACCEPT
> iptables -A INPUT -i eth0 -p tcp --sport $SSH_PORT_EXT -j ACCEPT
> iptables -A INPUT -i eth1 -p tcp --dport $SSH_PORT_IN -j ACCEPT
> iptables -A OUTPUT -o eth1 -p tcp --sport $SSH_PORT_IN -j ACCEPT
> iptables -A OUTPUT -o eth1 -p tcp --dport $SSH_PORT_IN -j ACCEPT
> iptables -A INPUT -i eth1 -p tcp --sport $SSH_PORT_IN -j ACCEPT
> ##
> echo " OK . Verifique que lo que se aplica con: iptables -L -n"
> # Fin del script
> #
> ############################################
> 
> Sin otro particular se despide,
> Gabriel Möll Ibacache
> Ingeniero Civil en Computación
> _______________________________________________
> Ultramonkey-users mailing list
> Ultramonkey-users at vergenet.net
> http://lists.vergenet.net/listinfo/ultramonkey-users

More information about the Ultramonkey-users mailing list