block/unblock a node from joining a cluster
In some situation, customers may want to prevent a node from joining a cluster.
This may be due to various reasons, potentially to do some maintenance/tests without changing a node’s configuration but requiring the asd daemon to come up (or having a chance of coming up). This is not common at all.
Backup your current firewall settings:
iptables-save > /etc/iptables.lastrules
Use iptable to block the incoming traffic. e.g. if the node has ip address 10.231.1.85, then you will run this on all other nodes:
iptables -I INPUT -p tcp --dport 3002 -d 10.231.1.85/32 -j REJECT iptables -I INPUT -p tcp --dport 3001 -s 10.231.1.85/32 -j REJECT
Note, you always want to use REJECT for a quick result. IPtables REJECT will actively respond to the caller with icmp-port-unreachable by default, allowing the host to immediately take action on an unreachable connection. If you use DROP, this will simulate 100% packet loss instead, as packets will simply be silently dropped. This may then take a while for the caller to realise that the host is down by the fact the connections are timing out with lack of response.
Alternative, you may need to specify a set of allowable node(s) to join a cluster while rejecting all other requests:
iptables -A OUTPUT -p tcp --dport 3002 -d 0.0.0.0/0 -j REJECT iptables -I OUTPUT -p tcp --dport 3002 -d 10.231.1.80/32 -j ACCEPT iptables -I OUTPUT -p tcp --dport 3001 -d 10.231.1.80/32 -j ACCEPT iptables -I INPUT -p tcp --dport 3001 -s 10.231.1.80/32 -j ACCEPT iptables -I OUTPUT -p tcp --dport 3002 -d 10.231.1.81/32 -j ACCEPT iptables -I OUTPUT -p tcp --dport 3001 -d 10.231.1.81/32 -j ACCEPT iptables -I INPUT -p tcp --dport 3001 -s 10.231.1.81/32 -j ACCEPT . . . iptables -I OUTPUT -p tcp --dport 3002 -d 10.231.1.84/32 -j ACCEPT iptables -I OUTPUT -p tcp --dport 3001 -d 10.231.1.84/32 -j ACCEPT iptables -I INPUT -p tcp --dport 3001 -s 10.231.1.84/32 -j ACCEPT
On reboot, the above settings will be gone. However, if settings are changed permanently, you can restore to previous settings:
- Apply to every node in the cluster
- For CentOS/RHEL, use “iptables save” to save the settings permanently
- DROP will silently drop the packet while REJECT will respond with an error
- You could delete the rule manually one at a time. However, it is easier to restore from backup.