keepalived works well without iptables
16,259
Solution 1
Just slove this problem these days,Haha
Do:
iptables -I INPUT -d 224.0.0.0/8 -j ACCEPT
iptables -I INPUT -p vrrp -j ACCEPT
Solution 2
You must accept ip protocol 112 (vrrp) and multicast traffic to 224.0.0.18. If you are using auth_type AH then you must accept proto 51
iptables -I INPUT -p 112 -d 224.0.0.18 -j ACCEPT
iptables -I INPUT -p 51 -d 224.0.0.18 -j ACCEPT
Solution 3
to MASTER keepalived machine:
iptables -I OUTPUT -p vrrp -s 192.168.10.1 -d 224.0.0.0/24 -j ACCEPT
to BACKUP keepalived machine:
iptables -I INPUT -p vrrp -s 192.168.10.1 -d 224.0.0.0/24 -j ACCEPT
192.168.10.1 is the master keepalived ip
Comments
-
truease.com over 1 year
I have setup keepalived, and it works well only when I stop the iptables service. My iptables config like this, Please tell me what rules should added for keepalived
# Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 5666 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 6379 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
-
TomOnTime over 8 yearsIs that 1st rule right? Without
-p
it defaults totcp
, which isn't used in multicast. -
Lapsio over 5 yearsThat AH rule is crutial and it's the only place where it's mentioned...
-
Emrah Tema almost 3 yearsI executed that command in my computer "iptables -I INPUT -p 112 -d 224.0.0.18 -j ACCEPT" but now I need to revoke it, how can I do that?
-
Heichou almost 2 years@EmrahTema "iptables -D INPUT -p 112 -d 224.0.0.18 -j ACCEPT"