Re: iptables and keepalived

[muhaimin <muhaimin.dzulfakar@extol.com.my>]

Jörg Harmuth wrote:

>muhaimin schrieb:
>  
>
>>I try keepalived on the firewall.With normal configuration, i could ping
>>internal machine to external network.The problem is when i use virtual
>>ip address (assigned by keepalived), i couldnt ping the external
>>network.Maybe the iptables cant identify the virtual ip.Is there any way
>>i can do to solve this ?
>>    
>>
>
>May be. It could be helpful to post your rules and the output of
>ifconfig and other things that might be involved.
>
>Have a nice time,
>
>Joerg
>
>
>
>  
>
Jörg Harmuth wrote:

>muhaimin schrieb:
>  
>
>>I try keepalived on the firewall.With normal configuration, i could ping
>>internal machine to external network.The problem is when i use virtual
>>ip address (assigned by keepalived), i couldnt ping the external
>>network.Maybe the iptables cant identify the virtual ip.Is there any way
>>i can do to solve this ?
>>    
>>
>
>May be. It could be helpful to post your rules and the output of
>ifconfig and other things that might be involved.
>
>Have a nice time,
>
>Joerg
>  
>

You cant view your virtual interface with keepalived.It doesnt use 
something like eth0:0.I can just see my real interface

eth0      Link encap:Ethernet  HWaddr 00:11:25:AB:3F:F4 
          inet addr:10.1.1.102  Bcast:10.255.255.255  Mask:255.0.0.0
          inet6 addr: fe80::211:25ff:feab:3ff4/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3179 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1107 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:333415 (325.6 KiB)  TX bytes:526997 (514.6 KiB)
          Base address:0x2000 Memory:d0120000-d0140000

eth1      Link encap:Ethernet  HWaddr 00:11:25:AB:3F:F5 
          inet addr:192.168.1.33  Bcast:192.255.255.255  Mask:255.0.0.0
          inet6 addr: fe80::211:25ff:feab:3ff5/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:13 errors:0 dropped:0 overruns:0 frame:0
          TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:832 (832.0 b)  TX bytes:718 (718.0 b)
          Base address:0x4400 Memory:d0340000-d0360000

lo        Link encap:Local Loopback 
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:8 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:560 (560.0 b)  TX bytes:560 (560.0 b)

But i can ping my virtual interface.But not the internal machine.In the 
normal configuration, here is my architecture.


         pc1 ------------eth0 [firewall ] eth0---------------pc2


 

>I use eth0 ip as gateway for pc1 and eth0 as a gateway for pc2.I can just ping until eth0 for pc1 until i do this in my iptables
>  
>

$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F

echo "   FWD: Allow all connections OUT and only existing and related 
ones IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state 
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG

echo "   Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

Note that EXTIF= eth0.

Then, i can ping pc2 from pc1.

But when i change both gateway to virtual ip of eth0 and eth1.I cant 
ping both machine.So i suspect iptables doesnt not recognise virtual ip 
of eth0.



-- 
Muhaimin Dzulfakar
Security Engineer
Extol Corporation (M) Sdn Bhd