防火墙在RAC上的配置-创新互联
RAC两台服务器的/etc/hosts都是如下
10年积累的网站设计、成都网站制作经验,可以快速应对客户对网站的新想法和需求。提供各种问题对应的解决方案。让选择我们的客户得到更好、更有力的网络服务。我虽然不认识你,你也不认识我。但先网站设计后付款的网站建设流程,更有建宁免费网站建设让你可以放心的选择与我们合作。127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.130.200 hdba hdba
192.168.130.201 hdbb hdbb hdbb
192.168.130.136 hdb-cluster-scan hdb-cluster-scan
192.168.130.137 hdba-vip hdba-vip
192.168.130.138 hdbb-vip hdbb-vip
192.168.148.200 hdba-priv hdba-priv
192.168.148.201 hdbb-priv hdbb-priv
192.168.130.208 hdg hdg
A实例服务器的ip信息
[root@hdba ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 5C:B9:01:99:3A:84
inet addr:192.168.148.200 Bcast:192.168.148.255 Mask:255.255.255.0
inet6 addr: fe80::5eb9:1ff:fe99:3a84/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2783160300 errors:0 dropped:0 overruns:0 frame:0
TX packets:2925124606 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2205601483366 (2.0 TiB) TX bytes:2420649621403 (2.2 TiB)
eth0:1 Link encap:Ethernet HWaddr 5C:B9:01:99:3A:84
inet addr:169.254.221.245 Bcast:169.254.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
eth2 Link encap:Ethernet HWaddr 5C:B9:01:99:3A:85
inet addr:192.168.130.200 Bcast:192.168.130.255 Mask:255.255.255.0
inet6 addr: fe80::5eb9:1ff:fe99:3a85/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:7365390091 errors:0 dropped:0 overruns:0 frame:0
TX packets:8297092138 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2046603688342 (1.8 TiB) TX bytes:6835745161060 (6.2 TiB)
eth2:2 Link encap:Ethernet HWaddr 5C:B9:01:99:3A:85
inet addr:192.168.130.137 Bcast:192.168.130.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
B实例服务器的ip信息
[root@hdbb ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 5C:B9:01:99:38:24
inet addr:192.168.148.201 Bcast:192.168.148.255 Mask:255.255.255.0
inet6 addr: fe80::5eb9:1ff:fe99:3824/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2925138277 errors:0 dropped:0 overruns:0 frame:0
TX packets:2783173132 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2420675528287 (2.2 TiB) TX bytes:2205594234468 (2.0 TiB)
eth0:1 Link encap:Ethernet HWaddr 5C:B9:01:99:38:24
inet addr:169.254.205.69 Bcast:169.254.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
eth2 Link encap:Ethernet HWaddr 5C:B9:01:99:38:25
inet addr:192.168.130.201 Bcast:192.168.130.255 Mask:255.255.255.0
inet6 addr: fe80::5eb9:1ff:fe99:3825/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6957519128 errors:0 dropped:0 overruns:0 frame:0
TX packets:8365702494 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2024616025362 (1.8 TiB) TX bytes:7204587376017 (6.5 TiB)
eth2:1 Link encap:Ethernet HWaddr 5C:B9:01:99:38:25
inet addr:192.168.130.138 Bcast:192.168.130.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
两台服务器的防火墙配置都一样,配置文件/etc/sysconfig/iptables内容如下
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
#来自心跳网卡的数据都放行
-A INPUT -i eth0 -j ACCEPT
-A INPUT -i eth0:1 -j ACCEPT
#vip和scan ip放行
#本来A实例的vip去访问B实例,在B实例防火墙添加A实例的vip,为了使两台服务器的防火墙配置一样,就把A实例和B实例的vip都放行
-A INPUT -i eth0 -s 192.168.130.200/32 -j ACCEPT
-A INPUT -i eth0 -s 192.168.130.201/32 -j ACCEPT
-A INPUT -i eth0 -s 192.168.130.137/32 -j ACCEPT
-A INPUT -i eth0 -s 192.168.130.138/32 -j ACCEPT
-A INPUT -i eth0 -s 192.168.130.136/32 -j ACCEPT
-A INPUT -i eth0 -s 192.168.200.11/32 -j ACCEPT
#信任IP列表,/24表示整个网段都开放,/32表示只开放这个IP
-A INPUT -s 10.10.23.0/24 -p tcp -m state --state NEW -m tcp --dport 1521 -j ACCEPT
-A INPUT -s 172.31.210.0/24 -p tcp -m state --state NEW -m tcp --dport 1521 -j ACCEPT
-A INPUT -s 192.168.74.0/24 -p tcp -m state --state NEW -m tcp --dport 1521 -j ACCEPT
-A INPUT -s 192.168.128.137/32 -p tcp -m state --state NEW -m tcp --dport 1521 -j ACCEPT
#对全部网段开放1521端口
-A INPUT -p tcp --dport 1521 -j ACCEPT
#下面两行要放到最后,如果 放在前面会创成加入的放行不生效!
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
文章名称:防火墙在RAC上的配置-创新互联
当前URL:http://azwzsj.com/article/dgcoge.html