[Pacemaker] iptables cluster

Karlis Kisis karlis.kisis at gmail.com
Mon Feb 13 05:02:23 EST 2012

I found the descriptions of resource agents here:


2012/2/13 Karlis Kisis <karlis.kisis at gmail.com>:
> Hi,
> In most cluster tutorials, for simplicity, iptables is turned off.
> Funny thing is that iptables is what I want to configure in HA cluster
> (as redundant firewalls).
> While reading the documentation I did not understand fully how IpAddr2
> resource is configured. Let me explain:
> I have 2 cluster nodes with following network config:
> NIC1 - External Internet - (81 for node2)
> NIC2 - Internal LAN - (81 for node2)
> NIC3 - Heartbeat - (81 for node2)
> NIC4 - Storage Net - (81 for node2)
> I want 2 addresses to fail over:
> VIP in External segment
> VIP in LAN segment
> Question #1:
> When I configure IpAddr2 resource, how does it work? Especially if I
> want to use external address that are public. The network adapter goes
> in PROMISCUOUS mode and listens to all traffic, while filtering its IP
> and VIP? Does it load the routers?
> What I need to add another address from a different IP subnet, let's
> say, since I don't have any adapters configures in
> this IP subnet, will it work? Can I somehow assign this IpAddr2 to be
> routed through NIC1 (static routes on both nodes?)
> Question #2:
> The whole clustering thingy works by stopping the service on one node
> and starting it on the other. In my case, I would not want iptables to
> be stopped but instead restarted with a "passive" config, like block
> all traffic from outside (instead of dropping firewall entirely). How
> would I go about it? Custom scripts?
> Is there any extensive documentation on cluster networking somewhere?
> How do the VIPs technically work?
> Best regards,
> Karlis

More information about the Pacemaker mailing list