Changes between Version 10 and Version 11 of sysadminiptables


Ignore:
Timestamp:
Jun 22, 2009, 2:09:30 PM (13 years ago)
Author:
risard
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • sysadminiptables

    v10 v11  
    1515Network security is an important aspect of any distributed database, particularly one in which patron data is kept.  Like any computer these days, Linux servers come with a configurable firewall referred to generically as iptables.  The following is a description of the ports that need to be opened via iptables for Evergreen to work.  Iptables is a very complicated topic that can take you into the darkest depths of packet routing and network configuration.  What follows is a simple primer that will allow you to get work done on Evergreen.  For more information see References section.  The assumption here is a two server (database and oils) configuration.  For security reasons, I've changed the ip addresses and host names in the examples below. 
    1616
    17 '''NOTE:''' Our ISP keeps our production servers behind a substantial firewall and coordination with them is essential.  Any ports you open via iptables, '''also''' need to be opened in their firewall.  This is done by contacting support after you've configured iptalbes. 
     17  '''NOTE:''' Our ISP keeps our production servers behind a substantial firewall and coordination with them is essential.  Any ports you open via iptables, '''also''' need to be opened in their firewall.  This is done by contacting support after you've configured iptalbes. 
    1818
    1919----
     
    4646}}}
    4747
    48 '''NOTE:''' that the command requires the use of sudo to use.
     48  '''NOTE:''' that the command requires the use of sudo to use.
    4949
    5050The output of either command will group the lines above into three sections called "chains".  Each chain represents inbound packets (Chain INPUT), outbound packets (Chain OUTPUT) and packets that are to be passed transparently to other machines (Chain FORWARD).  The only one you should concern yourself with, and the only one being used on this page or in these examples is Chain INPUT.  We're only concerned with being able to accept packets from other machines.
     
    7878The command above can be broken down as follows:
    7979
    80 ||-A INPUT||says the rule should be appended to Chain INPUT||
    81 ||-s 10.104.100.167||the source of the packet is the machine found at 10.104.100.167||
    82 ||-d 10.104.100.168||means the destination machine is 10.104.100.168||
    83 ||-p tcp||means the rule is concerned with the tcp protocol (so a udp packet coming in on port 8023 wouldn't be addressed by this rule)||
    84 ||-m tcp||this means load the rules that match the listed protocol, in this case tcp.  Although this isn't strictly necessary since we've specified the protocol with the -p option, it's considered good form to use it, and our ISP does use it, so we should too.||
    85 ||--dport 8023||This rule concerns itself with packets destined for port 8023.||
    86 ||-j ACCEPT||if a packet matches the rules above, then "jump" to the ACCEPT command, in other words, accept the packet.||
     80  ||-A INPUT||says the rule should be appended to Chain INPUT||
     81  ||-s 10.104.100.167||the source of the packet is the machine found at 10.104.100.167||
     82  ||-d 10.104.100.168||means the destination machine is 10.104.100.168||
     83  ||-p tcp||means the rule is concerned with the tcp protocol (so a udp packet coming in on port 8023 wouldn't be addressed by this rule)||
     84  ||-m tcp||this means load the rules that match the listed protocol, in this case tcp.  Although this isn't strictly necessary since we've specified the protocol with the -p option, it's considered good form to use it, and our ISP does use it, so we should too.||
     85  ||--dport 8023||This rule concerns itself with packets destined for port 8023.||
     86  ||-j ACCEPT||if a packet matches the rules above, then "jump" to the ACCEPT command, in other words, accept the packet.||
    8787
    8888If you ran the above command, it would immediately add a rule to the iptables INPUT chain.  If you ran iptalbes -L, you'd see your new rule in the list.
     
    118118}}}
    119119
     120----
     121== Testing Your Config ==
    120122
     123The easiest way to ensure a port is open is to use nmap.
     124
     125  '''NOTE:''' although nmap is a valid networking diagnotic tool, it's also a very controversial tool. '''PLEASE''' use with discretion! 
     126
     127You can test the status of a port by running the following command from another machine:
     128{{{
     129    sudo nmap 10.0.0.1 -sS -p 5432
     130}}}
     131
     132The command above tests the 5432 port on computer 10.0.0.1.  The return is something like:
     133{{{
     134    Interesting ports on 10.0.0.1:
     135    PORT     STATE SERVICE
     136    5432/tcp open  postgresql
     137   
     138    Nmap done: 1 IP address (1 host up) scanned in 0.169 seconds
     139}}}
     140
     141The output above lists the port as STATE: open.  This means the iptables rules are working properly.  If STATE returns "filered" or "closed", the port isn't open and you need to revisit your iptalbe rules.
     142
     143  '''NOTE:''' if the port returns "open" but you still can't get a connection from the service you want (ie port 5432 is open but you still can't get a connection to postgres from another machine) then be sure to check that another service isn't running on the port:
     144
     145{{{
     146    netstat -an | grep 5432
     147}}}
     148
     149Things to check in the output include:
     150  ||