Find the answer to your Linux question:
Results 1 to 3 of 3
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1

    keepalived, iptables, interfaces without real IP, How to configure it


    Hi at all.
    I'm using a Debian with Keepalive 1.2.13
    I configure the keepalived application and iptables, but the roles in the iptables seems don't work.
    I have 3 ip addresses give me from my service provider and i need that all three must be non local, so in the interfaces in the eth0 i should not configure any IP.
    My interface file is like that

    auto eth0 eth1
    allow-hotplug eth0 eth1
    iface eth0 inet manual
    up ifconfig eth0 up

    face eth1 inet static
    address 192.168.1.1
    netmask 255.255.255.0
    network 192.168.1.0
    The keepalived configuration file is:

    global_defs {
    router_id LVS_PRO
    }

    vrrp_sync_group G1 {
    group {
    inside_network
    outside_network
    }
    }

    vrrp_script chk_haproxy {
    script "killall -0 haproxy"
    interval 2
    weigth 2
    }

    vrrp_instance outside_network {
    interface eth0
    state MASTER
    track_interface {
    eth0
    eth1
    }
    priority 100
    virtual_router_id 156
    authentication {
    auth_type PASS
    auth_pass 12345678
    }
    virtual_ipaddress {
    192.168.100.13/24 dev eth0
    192.168.100.14/24 dev eth0 label eth0:0
    192.168.100.15/24 dev eth0 label eth0:1
    }
    virtual_routes {
    0.0.0.0/0 via 192.168.100.1 dev eth0
    }
    track_script {
    chk_haproxy
    }
    }

    vrrp_instance inside_network {
    interface eth1
    state MASTER
    priority 100
    virtual_router_id 157
    track_interface {
    eth0
    eth1
    }
    authentication {
    auth_type PASS
    auth_pass 12345678
    }
    virtual_ipaddress {
    192.168.1.1/24 dev eth1 label eth1:0
    }
    track_script {
    chk_haproxy
    }
    }
    And my IPtables is:

    ### POSTROUTING NAT ROLES
    ## Out access to eth0
    -A POSTROUTING -o eth0 -j SNAT --to-source 192.168.100.15

    ### FLUSH EXSISTING RULES
    -F
    -X
    ### DEFAULT CHAIN POLICIES
    -P INPUT DROP
    -P FORWARD DROP
    -P OUTPUT ACCEPT

    ### INPUT RULES
    ## Multicast accept
    -I INPUT -d 224.0.0.0/8 -j ACCEPT
    -I INPUT -p vrrp -j ACCEPT
    ## Allow inbound loopback
    -A INPUT -i lo -j ACCEPT -m comment --comment "001 local"
    -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
    ## Allow ESTABLISHED and RELATED connection
    -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    ## Allow inbound connection from LAN and WLAN (specify IP)
    # From eth0
    -A INPUT -i eth0 -p tcp -s 192.168.100.38 -m state --state NEW --dport 22 -j ACCEPT
    -A INPUT -i eth0 -p tcp -s 192.168.100.38 -m state --state NEW --dport 1936 -j ACCEPT

    ## LOG and DROP anything else
    -A INPUT -i eth0 -j DROP
    My ip address is 192.168.100.38
    When i try to connect by ssh to the server it refuse the connection, if i configure the interface eth0 with an ip it works fine.
    The servers in the netwotrk can access to internet.
    So the question is... where is my trivial mistake.

  2. #2
    What do your logs show ? Should give an indication of what is blocked and why.

  3. #3
    -->
    Hi at all.
    I hope you passed a good New Year.
    Anyway...
    I try to search in the log file syslog, daemon.log and messages to find some more information but it seems all ok.
    I can add that :
    when prompt the command
    iptables -L
    It show the roles list very slowly, and this thing doesn't happen when I configure the eth0 with an ip in the interface file.

$spacer_open
$spacer_close

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •