Top
PRIMECLUSTER  Installation and Administration Guide 4.3
Appendix J Using Firewall
PreviousNext

Appendix J Using Firewall

When using Firewall, perform either of the following procedures because the cluster may not operate normally.

This chapter provides an example to configure Firewall by using iptables.

Configure the settings in accordance with the security policy.

See

  • For details on iptables, see the man manual or other related documentation for the iptables(8) command.

When allowing the communication interface used by PRIMECLUSTER

With PRIMECLUSTER, communication interfaces are used on the administrative LAN and the cluster interconnects. Configure the settings to allow both communication interfaces.

The following is an example to allow sending and receiving the communication interface "cip0" of the cluster interconnect.

Format:  -A INPUT -i <input-interface> -j ACCEPT
         -A OUTPUT -o <output-interface> -j ACCEPT
Example: -A INPUT -i cip0 -j ACCEPT
         -A OUTPUT -o cip0 -j ACCEPT
When allowing the port number used by PRIMECLUSTER


See "Appendix I Startup Scripts and Startup Daemons, and Port Numbers in PRIMECLUSTER" and allow communication of all port numbers used by PRIMECLUSTER.
The following is an example to allow communications of some port numbers used by the cluster resource management facility between the local node and other nodes.
Format:  -A <INPUT/OUTPUT> -p <tcp/udp> -m <tcp/udp> --dport <destination-port-number> -j ACCEPT
         -A <INPUT/OUTPUT> -p <tcp/udp> -m <tcp/udp> --sport <destination-port-number> -j ACCEPT
Example: -A INPUT -p tcp -m tcp --dport 9383 -j ACCEPT
         -A OUTPUT -p tcp -m tcp --sport 9383 -j ACCEPT
         -A INPUT -p tcp -m tcp --sport 9383 -j ACCEPT
         -A OUTPUT -p tcp -m tcp --dport 9383 -j ACCEPT
Note
  • If you change the configuration of iptables, do not restart the iptables service. Instead, execute either of the following actions:
    • Restarting the cluster node
    • Applying the configuration change by using iptables-restore
  • When using the state module in iptables, configure settings to allow communications of PRIMECLUSTER before the state module settings.
    In the following example, communications of cluster interconnects are allowed before the state module settings.
    Example: -A INPUT -i cip0 -j ACCEPT
         -A OUTPUT -o cip0 -j ACCEPT
         -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
         -A INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP
PreviousNext
Copyright FUJITSU LIMITED 2008-2015