keepalived works well without iptables

16,259

Solution 1

Just slove this problem these days,Haha

Do:

iptables -I INPUT -d 224.0.0.0/8 -j ACCEPT
iptables -I INPUT -p vrrp -j ACCEPT

Solution 2

You must accept ip protocol 112 (vrrp) and multicast traffic to 224.0.0.18. If you are using auth_type AH then you must accept proto 51

iptables -I INPUT -p 112 -d 224.0.0.18 -j ACCEPT
iptables -I INPUT -p 51  -d 224.0.0.18 -j ACCEPT 

Solution 3

to MASTER keepalived machine:

iptables -I OUTPUT -p vrrp -s 192.168.10.1 -d 224.0.0.0/24 -j ACCEPT

to BACKUP keepalived machine:

iptables -I INPUT -p vrrp -s 192.168.10.1  -d 224.0.0.0/24 -j ACCEPT

192.168.10.1 is the master keepalived ip

Share:
16,259
truease.com
Author by

truease.com

Python

Updated on June 11, 2022

Comments

  • truease.com
    truease.com over 1 year

    I have setup keepalived, and it works well only when I stop the iptables service. My iptables config like this, Please tell me what rules should added for keepalived

    # Firewall configuration written by system-config-firewall
    # Manual customization of this file is not recommended.
    *filter
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    -A INPUT -p icmp -j ACCEPT
    -A INPUT -i lo -j ACCEPT
    -A INPUT -m state --state NEW -m tcp -p tcp --dport 22   -j ACCEPT
    -A INPUT -m state --state NEW -m tcp -p tcp --dport 80   -j ACCEPT
    -A INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT
    -A INPUT -m state --state NEW -m tcp -p tcp --dport 5666 -j ACCEPT
    -A INPUT -m state --state NEW -m tcp -p tcp --dport 6379 -j ACCEPT
    -A INPUT -j REJECT --reject-with icmp-host-prohibited
    -A FORWARD -j REJECT --reject-with icmp-host-prohibited
    COMMIT
    
  • TomOnTime
    TomOnTime over 8 years
    Is that 1st rule right? Without -p it defaults to tcp, which isn't used in multicast.
  • Lapsio
    Lapsio over 5 years
    That AH rule is crutial and it's the only place where it's mentioned...
  • Emrah Tema
    Emrah Tema almost 3 years
    I executed that command in my computer "iptables -I INPUT -p 112 -d 224.0.0.18 -j ACCEPT" but now I need to revoke it, how can I do that?
  • Heichou
    Heichou almost 2 years
    @EmrahTema "iptables -D INPUT -p 112 -d 224.0.0.18 -j ACCEPT"