[ClusterLabs] Clustered LVM with iptables issue
Digimer
lists at alteeve.ca
Thu Sep 10 18:27:09 EDT 2015
Hi all,
I've hit another recent, odd issue. Since adding RRP, I can't start
clvmd anymore if the iptables rules are in place. Starting clvmd sits
there and eventually times out with rc=5. If I drop iptables, it works
perfectly.
From what I understand, clvmd uses dlm and corosync, so it shouldn't
need its own ports. Obviously I am wrong though...
What ports/protocols are needed for clvmd to work right? It's a RHEL
6.7 box, in case it matters.
Here's my 'iptables-save' (10.20.0.0/16 is the back-channel that
corosync used to use exclusively. 10.10.0.0/16 is the storage network
that corosync's backup ring uses now. 10.255.0.0/16 is the
internet-facing network and is not used by anything cluster related):
====
[root at node1 ~]# iptables-save
# Generated by iptables-save v1.4.7 on Thu Sep 10 22:12:38 2015
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [50:5318]
-A INPUT -s 192.168.122.0/24 -d 192.168.122.0/24 -p tcp -m state --state
NEW -m tcp --dport 5900:6000 -j ACCEPT
-A INPUT -s 10.20.0.0/16 -d 10.20.0.0/16 -p tcp -m state --state NEW -m
tcp --dport 5900:6000 -j ACCEPT
-A INPUT -s 10.20.0.0/16 -d 10.20.0.0/16 -p tcp -m tcp --dport
49152:49216 -j ACCEPT
-A INPUT -s 10.10.0.0/16 -d 10.10.0.0/16 -p tcp -m tcp --dport
49152:49216 -j ACCEPT
-A INPUT -s 10.10.0.0/16 -d 10.10.0.0/16 -p tcp -m state --state NEW -m
tcp --dport 7789 -j ACCEPT
-A INPUT -s 10.10.0.0/16 -d 10.10.0.0/16 -p tcp -m state --state NEW -m
tcp --dport 7788 -j ACCEPT
-A INPUT -p igmp -j ACCEPT
-A INPUT -s 10.20.0.0/16 -d 10.20.0.0/16 -p tcp -m state --state NEW -m
tcp --dport 16851 -j ACCEPT
-A INPUT -s 10.10.0.0/16 -d 10.10.0.0/16 -p tcp -m state --state NEW -m
tcp --dport 16851 -j ACCEPT
-A INPUT -s 10.20.0.0/16 -d 10.20.0.0/16 -p tcp -m state --state NEW -m
tcp --dport 11111 -j ACCEPT
-A INPUT -s 10.10.0.0/16 -d 10.10.0.0/16 -p tcp -m state --state NEW -m
tcp --dport 11111 -j ACCEPT
-A INPUT -s 10.20.0.0/16 -d 10.20.0.0/16 -p tcp -m state --state NEW -m
tcp --dport 21064 -j ACCEPT
-A INPUT -s 10.10.0.0/16 -d 10.10.0.0/16 -p tcp -m state --state NEW -m
tcp --dport 21064 -j ACCEPT
-A INPUT -s 10.20.0.0/16 -p udp -m addrtype --dst-type MULTICAST -m
state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
-A INPUT -s 10.20.0.0/16 -d 10.20.0.0/16 -p udp -m state --state NEW -m
multiport --dports 5404,5405 -j ACCEPT
-A INPUT -s 10.10.0.0/16 -p udp -m addrtype --dst-type MULTICAST -m
state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
-A INPUT -s 10.10.0.0/16 -d 10.10.0.0/16 -p udp -m state --state NEW -m
multiport --dports 5404,5405 -j ACCEPT
-A INPUT -s 10.20.0.0/16 -d 10.20.0.0/16 -p udp -m state --state NEW -m
udp --dport 123 -j ACCEPT
-A INPUT -s 192.168.122.0/24 -d 192.168.122.0/24 -p udp -m state --state
NEW -m udp --dport 123 -j ACCEPT
-A INPUT -s 10.20.0.0/16 -d 10.20.0.0/16 -p tcp -m state --state NEW -m
tcp --dport 5900 -j ACCEPT
-A INPUT -s 10.20.0.0/16 -d 10.20.0.0/16 -p tcp -m state --state NEW -m
tcp --dport 5800 -j ACCEPT
-A INPUT -s 192.168.122.0/24 -d 192.168.122.0/24 -p tcp -m state --state
NEW -m tcp --dport 5900 -j ACCEPT
-A INPUT -s 192.168.122.0/24 -d 192.168.122.0/24 -p tcp -m state --state
NEW -m tcp --dport 5800 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Thu Sep 10 22:12:38 2015
====
Any help is appreciated!
--
Digimer
Papers and Projects: https://alteeve.ca/w/
What if the cure for cancer is trapped in the mind of a person without
access to education?
More information about the Users
mailing list