Corosync 的安全 IPTables 规则

Question

我有两个运行 Corosync 和 Pacemaker 的HA 负载平衡器（hollywood和wolfman）。所述eth1接口被连接到广域网，以及eth0接口的LAN，使用虚拟IP作为网关用于后端服务器。的eth1IPhollywood是xxx.xxx.195.45， 的eth1IPwolfman是xxx.xxx.195.46。该bindnetaddr在Corosync是xxx.xxx.195.32，同为广域网的网络地址和端口Corosync是默认的5405。

两台服务器上的相关IP表规则是：

*filter

--flush

:INPUT DROP

--append INPUT --protocol udp --destination-port 5404 --jump ACCEPT
--append INPUT --protocol udp --destination-port 5405 --jump ACCEPT

这种设置似乎做工精细，但最初我加--in-interface eth1和--source xxx.xxx.195.46来wolfman，并--source xxx.xxx.195.45到hollywood。大多数情况下这似乎有效，但重新启动被动平衡器有时会终止负载平衡器之间的通信，将这些错误写入系统日志：

[TOTEM] 由于操作系统或网络故障，图腾无法形成集群。此消息的最常见原因是本地防火墙配置不正确。

因此，我认为所有 Corosync 流量直接在两个负载均衡器之间的简单信念似乎eth1是错误的，或者是其他原因导致了问题。

我想将5404/5405IPTables 中的端口锁定到集群。我需要做什么才能实现这一目标？

编辑：corosync.conf根据要求。这是除bindnetaddr.

# Please read the openais.conf.5 manual page

totem {
        version: 2

        # How long before declaring a token lost (ms)
        token: 3000

        # How many token retransmits before forming a new configuration
        token_retransmits_before_loss_const: 10

        # How long to wait for join messages in the membership protocol (ms)
        join: 60

        # How long to wait for consensus to be achieved before starting a new round of membership configuration (ms)
        consensus: 3600

        # Turn off the virtual synchrony filter
        vsftype: none

        # Number of messages that may be sent by one processor on receipt of the token
        max_messages: 20

        # Limit generated nodeids to 31-bits (positive signed integers)
        clear_node_high_bit: yes

        # Disable encryption
        secauth: off

        # How many threads to use for encryption/decryption
        threads: 0

        # Optionally assign a fixed node id (integer)
        # nodeid: 1234

        # This specifies the mode of redundant ring, which may be none, active, or passive.
        rrp_mode: none

        interface {
                # The following values need to be set based on your environment
                ringnumber: 0
                bindnetaddr: xxx.xxx.195.32
                mcastaddr: 226.94.1.1
                mcastport: 5405
        }
}

amf {
        mode: disabled
}

service {
        # Load the Pacemaker Cluster Resource Manager
        ver:       0
        name:      pacemaker
}

aisexec {
        user:   root
        group:  root
}

logging {
        fileline: off
        to_stderr: yes
        to_logfile: no
        to_syslog: yes
        syslog_facility: daemon
        debug: off
        timestamp: on
        logger_subsys {
                subsys: AMF
                debug: off
                tags: enter|leave|trace1|trace2|trace3|trace4|trace6
        }
}

Answer 1

默认情况下，Corosync 使用 IP 多播在节点之间进行通信：

mcastaddr: 226.94.1.1
mcastport: 5405

将防火墙配置为允许多播流量：

# iptables -A INPUT -p igmp -j ACCEPT
# iptables -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT

# iptables -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT

或切换到单播。