Home | Forums | Membase | Membase Server 1.6.x

Setting up firewall creates problems

3 replies [Last post]
Thu, 05/12/2011 - 03:55
membaseuser_dk
Offline
Joined: 01/13/2011
Groups: None

Hi

I have used iptables to setup a firewall on each of the membase nodes. All traffic is accepted for these ports:

11211, 11210, 4369, 8091 and the port range from 21100 to 21199.

However, when trying to remove a node it was not possible and this appeared in the log:

Rebalance exited with reason wait_for_memcached_failed

Now, when removing the firewall setup it is remove and rebalance again. What am I missing? A port?

If I do a lsof -i I get:

sshd 1519 root 3u IPv6 4176 TCP *:ssh (LISTEN)
sshd 1519 root 4u IPv4 4178 TCP *:ssh (LISTEN)
epmd 1538 membase 3u IPv4 6249 TCP *:4369 (LISTEN)
beam.smp 1555 membase 15u IPv4 3999 TCP *:8091 (LISTEN)
beam.smp 1555 membase 19u IPv4 7284 TCP *:21101 (LISTEN)
memcached 1589 membase 37u IPv6 5279 TCP *:11210 (LISTEN)
memcached 1589 membase 38u IPv4 5280 TCP *:11210 (LISTEN)
memcached 1589 membase 39u IPv6 5283 UDP *:11210
memcached 1589 membase 40u IPv4 5284 UDP *:11210
moxi 1759 membase 43u IPv6 7216 TCP *:55286 (LISTEN)
moxi 1759 membase 44u IPv4 7217 TCP *:43449 (LISTEN)
moxi 1759 membase 45u IPv6 7220 TCP *:11211 (LISTEN)
moxi 1759 membase 46u IPv4 7221 TCP *:11211 (LISTEN)

... and also lines like this is there:

memcached 1589 membase 105u IPv4 10385 TCP 192.168.148.229:11210->192.168.167.27:35439 (ESTABLISHED)

... does that mean a new port 11210 -> 35439

Thanks

Top
Wed, 05/18/2011 - 11:26
perry
Offline
Joined: 10/11/2010
Groups:

I'll have to try and reproduce this in house, there shouldn't be a requirement for any other ports to be open.

Perry

__________________

Forum support is great for free but sometimes you need a guaranteed response time and dedicated resources for your questions or issues.
Consider purchasing enterprise-level support from Couchbase: http://www.couchbase.com/products-and-services/overview
Call or email "sales -at- couchbase-dot- com" today!

Top
Wed, 05/18/2011 - 13:14
perry
Offline
Joined: 10/11/2010
Groups:

Can you please post your iptables rules?

__________________

Forum support is great for free but sometimes you need a guaranteed response time and dedicated resources for your questions or issues.
Consider purchasing enterprise-level support from Couchbase: http://www.couchbase.com/products-and-services/overview
Call or email "sales -at- couchbase-dot- com" today!

Top
Wed, 05/25/2011 - 00:06
membaseuser_dk
Offline
Joined: 01/13/2011
Groups: None

Hi Perry

I got it working. I added this line:

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

... and

iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

This is necesarry I think because some of the already established connection will spawn some new, correct?

I also added support for UDP both for frontends and backends like so:

iptables -A INPUT -p udp -s xxx.xxx.xxx.xxx --dport 11210 -j ACCEPT

... not sure this necesarry but I saw UDP protocols when using lsof -i.

Thanks

Top