cancel
Showing results for 
Search instead for 
Did you mean: 
blazej
Level 7

How to configure Proxy HA & Network Protection (MWG7)

I had two MWG7s configured as "simple" proxy. My Network Protection rules where set to allow traffic on internal eth and drop everything else

ha_protect.JPG

This config was working but when I enable Proxy HA then VRRP fails. There is no option to select VRRP protocol in Network Protection config (just TCP or UDP). I would be able to do it using iptables - but how to make this configuration persistent ?

Any ideas?

0 Kudos
2 Replies
asabban
Level 17

Re: How to configure Proxy HA & Network Protection (MWG7)

Hello,

if you want to use "custom" iptables rules and make them persistent, you will need to manually add them. After you logged on via SSH, put your rules into /etc/init.d/iptables. If you look into that file you will find a start() function. I would try to put the custom rules on top of:

touch $VAR_SUBSYS_IPTABLES

return $ret

After a restart the rules should be there. There are a few things to notice:

- Be careful and test your changes on a VM if possible. Mistakes in the startup scripts may cause the appliance to become stuck while booting and recovery won´t be too easy

- This kind of modification is not supported

- Updates of the OS may cause the changes to be wiped out, since the startup scripts are not migrated during an update

- Please ensure you file a service request to get an official solution

Best,

Andre

0 Kudos

Re: How to configure Proxy HA & Network Protection (MWG7)

All changes to /etc/init.d/iptables will be silently discarded when iptables package is updated.

If you want to make those changes truly persistent I'd recommend to edit /etc/sysconfig/iptables directly  (e.g. add the line "-A INPUT -p 112 -j ACCEPT").

In order to protect your changes from being overwritten by MWG you can make the config file immutable:

# chattr +i /etc/sysconfig/iptables

Changes to Network Protection via UI will not be applied to the configuration file after this! To make the config file writeable again use

# chattr -i /etc/sysconfig/iptables.

Cya, Ed

0 Kudos