How to harden a ldirector?

[P Lao]

Hi,
I use high availability and load balancing with firewall marks, and I would like to use my ldirectors as firewall and harden them as much as I can.
I have tried to add firewall rules with iptables. I could add simple rules like:
iptables -A INPUT -s 0/0 -d 0/0 -p icmp -j DROP
to block pings, for example.

But what bothers me is that on my ldirectors, the default policy in my iptables is ACCEPT.
And when I try to change the default policy to DROP, it obviously interfers with the HA/load balancing setting, and the web site is no longer accessible, even if I add rules that would not be a problem for a server behind a firewall, but without HA/load balancing, like port forwarding for example (port forwarding is done by the HA setting now).

So what can be done to harden a ldirector? Can I set my policies to DROP and add some specific rules so that HA/load balancing still works? What are the minimum rules that a ldirector needs to work properly?

Thanks in advance for any advice.

PL

[falko]

Did you have a look at these tutorials?
http://www.howtoforge.com/linux_iptables_sarge
http://www.howtoforge.com/custom_iptables_firewall

[P Lao]

Thanks for your answer,
Not those indeed (because I had a firewall OK without ldirector before and I tried to understand what needs to be open for a ldirector to work) but right away I am going to ...

[P Lao]

I think that you answered incidentally in the post "High Availability (Load Balancing) behind a firewall" indeed.
The best way not to try do add firewall rules that could interfere with a ldirector is to put the firewall on the apache nodes.
Of course this is about the case where we want to start from default policies set to DROP. If we start from default policies set to ACCEPT, it's easy to add rules like in the tutorials, even on the ldirectors, but in this case I never know what kind of thing I forgot to drop...
And knowing what an apache node needs to be open is obvious, whereas knowing what a ldirector needs to be open seems much less obvious to me.
PL

[P Lao]

Sorry to answer once again my own mail, but I found the answer so I think that might be of interest to other people.
I wasn't pleased not to undestand why my ldirectors got strange and I lost access to my web site when I added standard firewall rules, but with the default to DROP, so I did a few tests, and the problem was (at least) that when there should be a swap between them, the last one didn't stop...which means that it's for heartbeat that something special needs to be open, not for ldirector itself.

The answer is on the HA FAQ:
http://www.linux-ha.org/FAQ#head-909...b4a3963b09b43b

How to use Heartbeat with Ipchains firewall?
To make Heartbeat work with [WWW] Ipchains, you must accept incoming and outgoing traffic on 694 UDP port. Add something like:
/sbin/ipchains -A output -i ethN -p udp -s <source_IP> -d <dest_IP> -j ACCEPT
/sbin/ipchains -A input -i ethN -p udp -s <source_IP> -d <dest_IP> -j ACCEPT

having added those rules on my ldirectors, everything works fine...