3

Currently i have two servers Running Debian 7 with HA Active/Passive setup using Pacemaker and Corosync as follows:

node1->IP->xx.xx.xx.1
node2->IP->xx.xx.xx.2
VIP(Floating IP) ->xx.xx.xx.3

It is configure with heartbeat for fail-over setup. All the IP's above are public facing.

The system is all working as it supposed to with High Availability when other node fails etc.. When one of the system is Active, there will two IP's assigned to one server.

So here's my question-

  1. Do i have to add any separate iptable rules for different IP's (VIP and Static Public IP)?

  2. How to allow (listen) traffic only on a particular IP(VIP) for a service for eg-DB server and not from other public address(xx.1) from outside world.

    If you have anything that concerns the setup wrt security etc.. please comment..

Thanks

Community
  • 1
vrOom
  • 47
  • 7

1 Answers1

1

Do i have to add any separate iptable rules for different IP's (VIP and Static Public IP)?

That depends on how your existing iptables rules look like. If your'e explicitly allowing access to specific IP addresses, then yes, you need to add rules to the VIP. If you just accept connections to the specific port, then no.

How to allow (listen) traffic only on a particular IP(VIP) for a service for eg-DB server and not from other public address(xx.1) from outside world.

That depends on the software being used for the particular service. E.g. MySql can be told to bind to a specific IP address so that connections to any other IP address will not succeed. You could also use iptables to block everything except the high-available service port on the VIP.

My personal rule with iptables is to always explicitly allow those connection I know are necessary, and block everything else.

If you want to block everything on the VIP except the service you're making high-available, e.g. http on port 80:

iptables -A INPUT -d xx.xx.xx.3 --protocol tcp --dport 80 -j ACCEPT
iptables -A INPUT -d xx.xx.xx.3 -j REJECT

Similarly allow or block ports on the non-VIP addresses according to you wishes.

You should have an earlier INPUT rule that accepts all protocol icmp traffic, by the way; a lot of vague network problems are caused by people ignorantly blocking icmp packets.

wurtel
  • 3,864
  • 12
  • 15
  • Can you give some examples to define rules for separate IP's(VIP and static public facing IP) i.e., How to define inbound rules for different IP's (VIP and static public facing IP) – vrOom Dec 08 '14 at 06:58
  • I've added a couple of example commands that should make it clearer. – wurtel Dec 08 '14 at 09:12