I'm trying to set up iptables for a Ceph cluster. I'm currently putting rules together for one of the monitor servers.
The monitor daemon listens on tcp/6789 (ip address removed as it is a public address):
# netstat -tunlp | grep ceph-mon tcp 0 0 X.X.X.X:6789 0.0.0.0:* LISTEN 2612/ceph-mon If I allow connections to tcp port 6789 and drop everything else the monitor is marked as down by the rest of the cluster:
iptables -F INPUT iptables -A INPUT -p tcp --dport 6789 -j ACCEPT iptables -A INPUT -j DROP Confusingly, if I drop all connections to tcp port 6789 the cluster still operates:
iptables -F INPUT iptbales -A INPUT -p tcp --dport 6789 -j DROP If I allow connections with a source tcp port 6789 and drop everything else the cluster operates:
iptables -F INPUT iptables -A INPUT -p tcp --sport 6789 -j ACCEPT iptables -A INPUT -j DROP This doesn't make sense to me, as the daemon is listening on port 6789, so tcp segments should have a destination port of 6789.
If I do a tcpdump for source port 6789 I can see incoming packets with a destination port of 56052 and a source port of 6789. This makes even less sense to me as there is nothing listening on port 56052 on the monitor server.
Am I missing something here? I'm using SLES12 and ceph 12.2.7, the FORWARD and OUTPUT chains have no rules, and the policy on all chains is ACCEPT
