Block/unblock a node from joining a cluster


#1

block/unblock a node from joining a cluster

Problem Description

In some situation, customers may want to prevent a node from joining a cluster.

Explanation

This may be due to various reasons, potentially to do some maintenance/tests without changing a node’s configuration but requiring the asd daemon to come up (or having a chance of coming up). This is not common at all.

Solution

Backup your current firewall settings:

iptables-save > /etc/iptables.lastrules

Use iptable to block the incoming traffic. e.g. if the node has ip address 10.231.1.85, then you will run this on all other nodes:

iptables -I INPUT -p tcp --dport 3002 -d 10.231.1.85/32 -j REJECT
iptables -I INPUT -p tcp --dport 3001 -s 10.231.1.85/32 -j REJECT

Note, you always want to use REJECT for a quick result. IPtables REJECT will actively respond to the caller with icmp-port-unreachable by default, allowing the host to immediately take action on an unreachable connection. If you use DROP, this will simulate 100% packet loss instead, as packets will simply be silently dropped. This may then take a while for the caller to realise that the host is down by the fact the connections are timing out with lack of response.

Alternative, you may need to specify a set of allowable node(s) to join a cluster while rejecting all other requests:


iptables -A OUTPUT -p tcp --dport 3002 -d 0.0.0.0/0 -j REJECT

iptables -I OUTPUT -p tcp --dport 3002 -d 10.231.1.80/32 -j ACCEPT
iptables -I OUTPUT -p tcp --dport 3001 -d 10.231.1.80/32 -j ACCEPT
iptables -I INPUT -p tcp --dport 3001 -s 10.231.1.80/32 -j ACCEPT

iptables -I OUTPUT -p tcp --dport 3002 -d 10.231.1.81/32 -j ACCEPT
iptables -I OUTPUT -p tcp --dport 3001 -d 10.231.1.81/32 -j ACCEPT
iptables -I INPUT -p tcp --dport 3001 -s 10.231.1.81/32 -j ACCEPT
.
.
.
iptables -I OUTPUT -p tcp --dport 3002 -d 10.231.1.84/32 -j ACCEPT
iptables -I OUTPUT -p tcp --dport 3001 -d 10.231.1.84/32 -j ACCEPT
iptables -I INPUT -p tcp --dport 3001 -s 10.231.1.84/32 -j ACCEPT

On reboot, the above settings will be gone. However, if settings are changed permanently, you can restore to previous settings:

iptables-restore /etc/iptables.lastrules

Notes

Keywords

iptable

Timestamp

9/1/16


How do I handle a planned network maintenance between XDR source and destination?
#2

I would like to add a small tip about saving iptables rules. If you are using CentOS 7, you can save rules like this: $ service iptables save Or if you are using a Debian based distro, you can save rules using iptables-persistent: $ netfilter-persistent save Also, the rules order matters. So what comes first wins I recommend this resource for more info about iptables firewall iptables firewall examples