[Linux-HA] heartbeat for iptables FW

Sam Sam at VerveeltZich.com
Tue Feb 7 02:30:45 MST 2006


I would sugguest using tcpdump/ethereal to monitor what packages are 
being sent by heartbeat.
Ofcourse disable your firewall and disable any other services that 
generate traffic.

The error you get is because you firewall OUTGOING traffic.
so as Norman said "iptables -A output -o $HB -j ACCEPT" should do that 
trick at all times.
Make sure no other rules BEFORE that rule are doing a reject.
And perhaps it's wise to always allow traffic to the localhost interface.

Or systematically disabling rule by rule and testing if it works now to 
determinne what rule is blocking the traffic.

Sam.


Norman Maurer wrote:

>Thats what i have in my ruleset but i get the error.. Thats what i
>wonder about :-(
>
>bye
>
>Am Montag, den 06.02.2006, 14:35 -0800 schrieb Gary W. Smith:
>  
>
>>That's more of a netfilter question than a ha question but I will give
>>it a shot.  Assuming that you have a dedicated heartbeat interface you
>>would do something like:
>>
>># Assuming eth1 is your heartbeat interface
>># You would also want to put this somewhere before you're drop
>># rules.
>>HB=eth1
>>iptables -A input -i $HB -j ACCEPT
>>iptables -A output -o $HB -j ACCEPT
>>
>>if you are using a shared interface, which I wouldn't recommend, you
>>would want to do something like:
>>HB=eth1
>>HBPORT=694 # use your actual port that is in your haconfig file.
>>iptables -A input -i $HB -p tcp -m tcp --dport=$HBPORT -j ACCEPT
>>iptables -A input -o $HB -j ACCEPT
>>
>>
>>    
>>
>>>-----Original Message-----
>>>From: linux-ha-bounces at lists.linux-ha.org [mailto:linux-ha-
>>>bounces at lists.linux-ha.org] On Behalf Of Norman Maurer
>>>Sent: Monday, February 06, 2006 11:10 AM
>>>To: linux-ha at lists.linux-ha.org
>>>Subject: [Linux-HA] heartbeat for iptables FW
>>>
>>>Hi guys,
>>>
>>>we use HA +DRBD on a few Servers to get failover working. Its work
>>>really nice.
>>>
>>>But now we want to use it to get 2 Firewalls as Active - Passive
>>>Solution. But when Heartbeat is started and the firewall get started,
>>>heartbeat has problems to send the broadcast. I always get "send bcast
>>>not permitted" in the syslog. Whats the problem ? What thaings i have
>>>      
>>>
>>to
>>    
>>
>>>allow on the firewall to not get this error.
>>>
>>>bye
>>>
>>>
>>>_______________________________________________
>>>Linux-HA mailing list
>>>Linux-HA at lists.linux-ha.org
>>>http://lists.linux-ha.org/mailman/listinfo/linux-ha
>>>See also: http://linux-ha.org/ReportingProblems
>>>      
>>>
>>_______________________________________________
>>Linux-HA mailing list
>>Linux-HA at lists.linux-ha.org
>>http://lists.linux-ha.org/mailman/listinfo/linux-ha
>>See also: http://linux-ha.org/ReportingProblems
>>
>>    
>>
>
>_______________________________________________
>Linux-HA mailing list
>Linux-HA at lists.linux-ha.org
>http://lists.linux-ha.org/mailman/listinfo/linux-ha
>See also: http://linux-ha.org/ReportingProblems
>  
>



More information about the Linux-HA mailing list