Changes between Version 7 and Version 8 of sysadminiptables
- Timestamp:
- Jun 22, 2009, 11:57:29 AM (14 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
sysadminiptables
v7 v8 1 1 = Networking Issue = 2 2 3 Quick Start[[BR]]3 Quick Reference[[BR]] 4 4 ---- 5 5 Overview[[BR]] 6 Working with iptables in Debian[[BR]] 6 Reading iptables[[BR]] 7 Setting iptables[[BR]] 7 8 Necessary Ports - Database Server[[BR]] 8 9 Necessary Ports - Open-ils Server[[BR]] … … 12 13 == Overview == 13 14 14 Network security is an important aspect of any distributed database, particularly one in which patron data is kept. Like any computer these days, Linux servers come with a configurable firewall referred to generically as iptables. The following is a description of the ports that need to be opened via iptables for Evergreen to work. Iptables is a very complicated topic that can take you into the d epths of packet routing and network configuration. What follows is a simple primer that will allow you to get work done on Evergreen. For more information see References section. The assumption here is a two server (database and oils) configuration.15 Network security is an important aspect of any distributed database, particularly one in which patron data is kept. Like any computer these days, Linux servers come with a configurable firewall referred to generically as iptables. The following is a description of the ports that need to be opened via iptables for Evergreen to work. Iptables is a very complicated topic that can take you into the darkest depths of packet routing and network configuration. What follows is a simple primer that will allow you to get work done on Evergreen. For more information see References section. The assumption here is a two server (database and oils) configuration. For security reasons, I've changed the ip addresses and host names in the examples below. 15 16 16 17 '''NOTE:''' Our ISP keeps our production servers behind a substantial firewall and coordination with them is essential. Any ports you open via iptables, '''also''' need to be opened in their firewall. This is done by contacting support after you've configured iptalbes. 17 18 18 19 ---- 19 == Working with iptables in Debian==20 === Viewing the current configuration === 20 == Reading iptables == 21 21 22 {{{ 22 23 sudo iptables -L … … 57 58 }}} 58 59 reads 60 61 "packets destined for the tcp ssh port on curly - that are from larry - should be accepted." 62 63 64 ---- 65 == Setting Iptables == 66 67 In Debian Lenny there are two ways to change iptables. You can edit the tables interactively at the shell using the iptables command and then save them with iptables-save command, or you can edit the file where the tables are stored directly and then apply them. 68 69 '''NOTE:''' that when you use the iptables command, you're changes are live. 70 71 === the iptables command === 72 73 The iptables syntax is as follows: 59 74 {{{ 60 "packets destined for the tcp ssh port on curly - that are from larry - should be accepted."75 sudo iptalbes -A INPUT -s 10.104.100.167 -d 10.104.100.168 -p tcp -m tcp --dport 8023 -j ACCEPT 61 76 }}} 62 77 63 === Setting Iptables === 78 The command above can be broken down as follows: 64 79 65 In Debian Lenny there are two ways to change iptables. You can edit the tables interactively at the shell using the iptables command and then save them with iptables-save command, or you can edit the file where the tables are stored directly and then apply them. When you set do this, it's important to nt 80 ||-A INPUT||says the rule should be appended to Chain INPUT|| 81 ||-s 10.104.100.167||the source of the packet is the machine found at 10.104.100.167|| 82 ||-d 10.104.100.168||means the destination machine is 10.104.100.168|| 83 ||-p tcp||means the rule is concerned with the tcp protocol (so a udp packet coming in on port 8023 wouldn't be addressed by this rule)|| 84 ||-m tcp||this means load the rules that match the listed protocol, in this case tcp. Although this isn't strictly necessary since we've specified the protocol with the -p option, it's considered good form to use it, and our ISP does use it, so we should too.|| 85 ||--dport 8023||This rule concerns itself with packets destined for port 8023.|| 86 ||-j ACCEPT||if a packet matches the rules above, then "jump" to the ACCEPT command, in other words, accept the packet.|| 87 88 If you ran the above command, it would immediately add a rule to the iptables