Hi All,
I seem to be having a problem with an application i'm running when i enable the firewall. The application works as part of a cluster and has constant communications running between two nodes. To make life easy all i did between the two nodes as firewall rules is the following:-
iptables -A INPUT -i bond0 -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -i bond0 -s x.x.x.x -j ACCEPT
iptables -A INPUT -i bond0 -s x.x.x.x -j ACCEPT

OK, now to me these rules if run on both servers will make sure each server can connect to any port using any protocol (tcp,udp,icmp), and then I'm logging any packets that are otherwise dropped. The rules above are as part of a greater set of rules but these are more or less the first set of rules in the list and therefore any communications between the hosts should not be dropped at all.

However i can't see any packets being dropped that may have stopped this application from working properly. However if i'm wrong in thinking that the above rules do allow all protocols and ports open to the hosts specified then that could be my problem?

Cheers

hi,

i'm not sure about this, pls explain more details,
the -i bond0 refers to which devices? 2 or more NIC on single server or maybe you have any other perspective?
and the -s 127/8 points to what/where? are you trying to filter ip spoofing?

yup, generally speaking - i think it is.
i see that you had only ACCEPT action from your posted rules for those x.x.x.x sources, so how can iptables block/DROP any traffic as you required to?

Hi there,
Yes you are correct bond0 refers to eth0 and eth1 network interfaces. These run in an active passive set-up (only one running at any one time).

127.0.0.1/8 is standard localhost and i'm eusuring the localhost can route packets to itself. Exactly my question i accept all packets between these hosts and log anything that is dropped. And no packets between the hosts are dropped at any point (that is only a tiny snippet of the rules). And yet with the firewall on the application between the hosts doesn't run and with iptables off the application runs fine. I've set-up no limits on number of packets to be sent in amount of time or anything of this nature.

However this no longer really matters, but i still would have liked to have got to the bottom of the problem.

Cheers,
MJ

hi,

ya - but you've put it in wrong interface i think
should be on loopback interface.

and yours :
this is very dangerous thing to do in a live/production network

you should LOG the bad packet first prior to DROP/REJECT, if you DROP them first then you cant LOG them.

Yep i know that thanks, thats my point they're not logged and they should be because all log statements come before any drop statements. Thats why this is so much of a mystery.

Yes well spotted, 127/8 should be on loopback, didnt think about that one, and in fact can probably not even required to put anything in for the loopback interface as is only local traffic anyway.

I'd forget about it, i don't think i will be able to get to the bottom of it which is rather annoying. It doesn't make sence, but at the same time we're not going to be using this application anymore so it doesn't matter.
Cheers,
MJ