最近在两台linux服务器里面安装keepalived,配置好后发现两台机器都是master状态,网上搜索发现是防火墙没有允许vrrp的组播,两台服务器分别是centos7和suse系统
上网找了很久才找到这两个系统下开放vrrp组播的方法,特此记之。
使用keepalived组播的话需要修改防火墙设置:
centos 6下面修改防火墙
vi /etc/sysconfig/iptables 增加这个
-A INPUT -p 112 -d 224.0.0.0/32 -j ACCEPT #-p 112指定协议为112,也可-p vrrp即vrrp,keepalived组播地址是224.0.0.18
centos7下面改防火墙
firewall-cmd --direct --permanent --add-rule ipv4 filter INPUT 0 --in-interface enp4s0 --destination 224.0.0.18 --protocol vrrp -j ACCEPT
firewall-cmd --reload
suse下面修改防火墙
vi /etc/sysconfig/SuSEfirewall2
将下面这行的注释去掉
FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
并将下面这行注释掉
FW_CUSTOMRULES=""
然后
vi /etc/sysconfig/scripts/SuSEfirewall2-custom
fw_custom_before_antispoofing() {
# these rules will be loaded before any anti spoofing rules will be
# loaded. Effectively the only filter lists already effective are
# 1) allow any traffic via the loopback interface, 2) allow DHCP stuff,
# 3) allow SAMBA stuff [2 and 3 only if FW_SERVICE_... are set to "yes"]
# You can use this hook to prevent logging of uninteresting broadcast
# packets or to allow certain packet through the anti-spoofing mechanism.
#example: allow incoming multicast packets for any routing protocol
#iptables -A INPUT -j ACCEPT -d 224.0.0.0/24
#添加下面这行
iptables -A INPUT -p vrrp -j ACCEPT -d 224.0.0.18
true
}
修改防火墙后记得重启防火墙。
然后再看系统的ip地址,发现恢复正常,只有一台机器是master状态了。
