rozbehal som si CentOS 6, pri instalacii som zvolil typ instalcie ako virtual host.
Po instalacii je defaltne firewall nastaveny takto:
# Generated by iptables-save v1.4.7 on Mon Dec 19 21:42:23 2011 *nat :PREROUTING ACCEPT [5577:1004942] :POSTROUTING ACCEPT [26:2932] :OUTPUT ACCEPT [26:2932] -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535 -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535 -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE COMMIT # Completed on Mon Dec 19 21:42:23 2011 # Generated by iptables-save v1.4.7 on Mon Dec 19 21:42:23 2011 *mangle :PREROUTING ACCEPT [12327905:228376874615] :INPUT ACCEPT [12327901:228376874439] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [3276458:392269404] :POSTROUTING ACCEPT [3276458:392269404] -A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill COMMIT # Completed on Mon Dec 19 21:42:23 2011 # Generated by iptables-save v1.4.7 on Mon Dec 19 21:42:23 2011 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [3276399:392264544] -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -d 192.168.122.0/24 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT -A FORWARD -i virbr0 -o virbr0 -j ACCEPT -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT # Completed on Mon Dec 19 21:42:23 2011
2. nasledne som nainstaloval a nakonfiguroval DRBD, na eth0 som priradil 172.16.0.1/255.255.255.252 a na druhom stroji eth0 172.16.0.2/255.255.255.252
a teraz moj problem: ked je firewal zapnuty v defaultnom nastaveni jak mi ho centos nastavil po instalcii, a zapnem drbd tak sa proste drbd nespoji s druhym strojom a nesynchronizuje sa, akonahle vsak na jednom stroji vypnem firewall: service iptables stop, drbd sa rozbehne a pekne sa zosynchronizuje... ked aj pocas synchronizacie zapnem naspat firewall drbd sa uz synchronizuje dalej - nespadne to...
Je to divne pretoze v tom firewali je predsa INPUT FORWARD OUTPUT v defaultnej politike ako ACCEPT, cim to teda moze byt, nebude tonejaky bug v centos?
Dakujem za nakopnutie
No to je síce pekné že sú INPUT FORWARD OUTPUT v defaultnej politike ako ACCEPT
, ale nakonci firewalu všeko ostatné, čo neprejde firewalom odmietaš: REJECT --reject-with icmp-host-prohibited Takže to nie je bug.
Takže si tam pridaj pravidlo na accept DRBD spojenia.
Ešte ti odporúčam, namiesto reject používať drop, lebo reject sa dá ľahko zneužiť, napr na DDOS.