0

I'm having a default DROP policy on the INPUT and OUTPUT chain configured for iptables and I am trying to configure proper iptables rules for two servers that mirror data via drbd.

The resource configuration:

resource data {
    on data001 {
        device /dev/drbd0;
        disk /dev/mapper/vg--system-data;
        meta-disk internal;
        address 10.0.0.10:7788;
    }
    on data002 {
        device /dev/drbd0;
        disk /dev/mapper/vg--system-data;
        meta-disk internal;
        address 10.0.0.11:7788;
    }
}

For iptables, the following rules are set on both drbd nodes:

-A INPUT -p tcp -s 10.0.0.10 --sport 7788 -j ACCEPT
-A OUTPUT -p tcp -d 10.0.0.10 --dport 7788 -j ACCEPT
-A INPUT -p tcp -s 10.0.0.11 --sport 7788 -j ACCEPT
-A OUTPUT -p tcp -d 10.0.0.11 --dport 7788 -j ACCEPT

However, drbd cannot properly set up a connection between the hosts. Updating the default policies on both hosts to ACCEPT works as expected.

pdu
  • 177
  • 15
  • To debug add a LOG directive to your iptables rules. Also the full output `iptables -n -v -L` would help. And: `-A INPUT -p tcp -s 10.0.0.10 --sport 7788 -j ACCEPT` is often wrong, because drbd - as most services - also maps to some random ports. I'd rather create matching OUTPUT rules for related traffic or something. Or e.g. `-A INPUT -p tcp -s 10.0.0.10 --dport 7788 -j ACCEPT` – Lenniey Aug 15 '18 at 10:05

1 Answers1

1

You should allow ESTABLISHED connections for INPUT and OUTPUT. In addition for the setup of the connection you need to allow packets with destination port 7788, both outgoing and incoming.

Edit

-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -p tcp -s 10.0.0.10 --dport 7788 -j ACCEPT
-A INPUT -p tcp -s 10.0.0.11 --dport 7788 -j ACCEPT
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -d 10.0.0.10 --dport 7788 -j ACCEPT
-A OUTPUT -p tcp -d 10.0.0.11 --dport 7788 -j ACCEPT
RalfFriedl
  • 3,108
  • 4
  • 13
  • 17
  • Could you give an example on the rules for the sake of completeness? – pdu Aug 15 '18 at 11:12
  • 1
    I added an example. – RalfFriedl Aug 15 '18 at 11:38
  • This will set a "default ESTABLISHED rule" for all INPUT/OUTPUT connections, not limited to these specific IPs. Sounds nitpicky, but depending on @pduersteler's use-case or expectations this might be too broad. – Lenniey Aug 15 '18 at 11:46
  • 1
    @Lenniey My opinion is if you don't want to have connections in `ESTABLISHED` state, you should block them before they get there. – RalfFriedl Aug 15 '18 at 12:02
  • @RalfFriedl I didn't criticize you, just wanted to clarify it. I'd use your approach too. – Lenniey Aug 15 '18 at 12:08