Wednesday, May 1, 2013

Getting replicated Ehcache and iptables to play nice

Struggled with this a bit and thought others might find this useful.  If you're using RMI Replicated caching with Ehcache, you need to put a little thought into port security/strategy.  The sample ehcache.xml includes:

Using this config means you're going to have to poke holes in iptables for ports 40001 and 40002.  All that is pretty simple - the gotcha is if you're using automatic peer discovery.  It needs multicasting to work.  The docs call this out but it took me awhile to realize I had to specifically allow it in iptables, as it is likely prohibited by default in most environments.

IBM has a nice post about how to do this.  So in this example (replicated Ehcache with automatic peer discovery), you'll need this in iptables on each host you expect to participate:

-A INPUT -m state --state NEW -m tcp -p tcp --dport 40001 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 40002 -j ACCEPT
-A INPUT -m pkttype --pkt-type multicast -j ACCEPT

No comments:

Post a Comment