When using Firewall, perform either of the following procedures because the cluster may not operate normally.
Allow the communication interface used by PRIMECLUSTER.
Allow the port number used by PRIMECLUSTER.
This chapter provides examples for configuring Firewall by using firewalld, iptables, ip6tables, or nftables.
Configure the settings in accordance with the security policy.
See
For details on firewalld, see the man manual or other related documentation for the firewalld(1) or firewall-cmd(1) command.
For details on iptables, see the man manual or other related documentation for the iptables(8) command.
For details on ip6tables, see the man manual or other related documentation for the ip6tables(8) command.
For details on nftables, see the man manual or other related documentation for the nftables(8) command.
When allowing the communication interface used by PRIMECLUSTER
With PRIMECLUSTER, communication interfaces are used on the administrative LAN and the cluster interconnects. Configure the settings to allow both communication interfaces.
The following is an example to allow sending and receiving the communication interface "cip0" of the cluster interconnect.
firewalld
The option of the firewall-cmd command which changes the settings of firewalld differs in the following two situations. One is for when an interface which is not registered in the zone is added to "zone=trusted". The other is for when an interface which is registered in another zone is changed to "zone=trusted".
Add interface cip0 which is not originally registered in the zone to zone=trusted
Format:
firewall-cmd --permanent --zone=trusted --add-interface=<interface>Example:
firewall-cmd --permanent --zone=trusted --add-interface=cip0
Change zone of interface cip0 which is originally registered in another zone to trusted
Format:
firewall-cmd --permanent --zone=trusted --change-interface=<interface>Example:
firewall-cmd --permanent --zone=trusted --change-interface=cip0
iptables or ip6tables
Format:
-A INPUT -i <input-interface> -j ACCEPT -A OUTPUT -o <output-interface> -j ACCEPT
Example:
-A INPUT -i cip0 -j ACCEPT -A OUTPUT -o cip0 -j ACCEPT
nftables
Format:
nft add rule ip filter INPUT oifname <input-interface> accept nft add rule ip filter OUTPUT oifname <output-interface> accept
Example:
nft add rule ip filter INPUT oifname "cip0" accept nft add rule ip filter OUTPUT oifname "cip0" accept
When allowing the port number used by PRIMECLUSTER
See "Appendix I Systemd Services and Startup Daemons, and Port Numbers in PRIMECLUSTER" and allow communication of all port numbers used by PRIMECLUSTER.
When using CF over IP, you must also allow communication of the protocol (protocol number 123) used for CF over IP.
The following is an example to allow communication of some port numbers used by the cluster resource management facility between the local node and other nodes.
firewalld
Allow communication to specific port number
Format:
firewall-cmd --permanent --zone=<zone> --add-port=<destination-port-number>/<tcp/udp>
Example:
firewall-cmd --permanent --zone=public --add-port=9383/tcp
Allow communication from specific port number
Command option of IPv4 and IPv6 differ from each other.
IPv4
Format:
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p <tcp/udp> --sport <source-port-number> -j ACCEPT
Example:
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p tcp --sport 9383 -j ACCEPT
IPv6
Format:
firewall-cmd --permanent --direct --add-rule ipv6 filter INPUT 0 -p <tcp/udp> --sport <source-port-number> -j ACCEPT
Example:
firewall-cmd --permanent --direct --add-rule ipv6 filter INPUT 0 -p tcp --sport 9383 -j ACCEPT
When allowing communication of CF over IP, add the following setting.
firewall-cmd --permanent --zone=<zone> --add-protocol=123iptables or ip6tables
Format:
-A <INPUT/OUTPUT> -p <tcp/udp> -m <tcp/udp> --dport <destination-port-number> -j ACCEPT -A <INPUT/OUTPUT> -p <tcp/udp> -m <tcp/udp> --sport <source-port-number> -j ACCEPT
Example:
-A INPUT -p tcp -m tcp --dport 9383 -j ACCEPT -A OUTPUT -p tcp -m tcp --sport 9383 -j ACCEPT -A INPUT -p tcp -m tcp --sport 9383 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 9383 -j ACCEPT
When allowing communication of CF over IP, add the following settings.
-A INPUT -p 123 -j ACCEPT -A OUTPUT -p 123 -j ACCEPT
nftables
Format:
nft add rule ip filter <INPUT/OUTPUT> <tcp/udp> dport <destination-port-number> accept nft add rule ip filter <INPUT/OUTPUT> <tcp/udp> sport <source-port-number> accept
Example:
nft add rule ip filter INPUT tcp dport 9383 accept nft add rule ip filter INPUT tcp sport 9383 accept nft add rule ip filter OUTPUT tcp dport 9383 accept nft add rule ip filter OUTPUT tcp sport 9383 accept
When allowing communication of CF over IP, add the following settings.
nft add rule ip filter INPUT ip protocol 123 accept nft add rule ip filter OUTPUT ip protocol 123 accept
Note
If you changed the configuration of firewalld by the '--permanent' option of firewall-cmd, perform one of the following operations instead of restarting the firewalld service.
Restarting the cluster node
Reflecting the change by firewall-cmd --reload
If you changed the configuration of iptables, perform one of the following operations instead of restarting the iptables service.
Restarting the cluster node
Reflecting the change by iptables-restore
If you changed the configuration of ip6tables, perform one of the following operations instead of restarting the ip6tables service.
Restarting the cluster node
Reflecting the change by ip6tables-restore
When using the state module in iptables or ip6tables, configure settings to allow communication of PRIMECLUSTER before the state module settings.
In the following example, communication of cluster interconnects is allowed before the state module settings.
Example:
-A INPUT -i cip0 -j ACCEPT -A OUTPUT -o cip0 -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP