Changes between Version 7 and Version 8 of sysadminiptables


Ignore:
Timestamp:
Jun 22, 2009, 11:57:29 AM (13 years ago)
Author:
risard
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • sysadminiptables

    v7 v8  
    11= Networking Issue =
    22
    3 Quick Start[[BR]]
     3Quick Reference[[BR]]
    44----
    55Overview[[BR]]
    6 Working with iptables in Debian[[BR]]
     6Reading iptables[[BR]]
     7Setting iptables[[BR]]
    78Necessary Ports - Database Server[[BR]]
    89Necessary Ports - Open-ils Server[[BR]]
     
    1213== Overview ==
    1314
    14 Network security is an important aspect of any distributed database, particularly one in which patron data is kept.  Like any computer these days, Linux servers come with a configurable firewall referred to generically as iptables.  The following is a description of the ports that need to be opened via iptables for Evergreen to work.  Iptables is a very complicated topic that can take you into the depths of packet routing and network configuration.  What follows is a simple primer that will allow you to get work done on Evergreen.  For more information see References section.  The assumption here is a two server (database and oils) configuration
     15Network security is an important aspect of any distributed database, particularly one in which patron data is kept.  Like any computer these days, Linux servers come with a configurable firewall referred to generically as iptables.  The following is a description of the ports that need to be opened via iptables for Evergreen to work.  Iptables is a very complicated topic that can take you into the darkest depths of packet routing and network configuration.  What follows is a simple primer that will allow you to get work done on Evergreen.  For more information see References section.  The assumption here is a two server (database and oils) configuration.  For security reasons, I've changed the ip addresses and host names in the examples below
    1516
    1617'''NOTE:''' Our ISP keeps our production servers behind a substantial firewall and coordination with them is essential.  Any ports you open via iptables, '''also''' need to be opened in their firewall.  This is done by contacting support after you've configured iptalbes. 
    1718
    1819----
    19 == Working with iptables in Debian ==
    20 === Viewing the current configuration ===
     20== Reading iptables ==
     21
    2122{{{
    2223    sudo iptables -L
     
    5758}}}
    5859reads
     60
     61    "packets destined for the tcp ssh port on curly - that are from larry - should be accepted." 
     62
     63
     64----
     65== Setting Iptables ==
     66
     67In Debian Lenny there are two ways to change iptables.  You can edit the tables interactively at the shell using the iptables command and then save them with iptables-save command, or you can edit the file where the tables are stored directly and then apply them. 
     68
     69'''NOTE:''' that when you use the iptables command, you're changes are live.
     70
     71=== the iptables command ===
     72
     73The iptables syntax is as follows:
    5974{{{
    60     "packets destined for the tcp ssh port on curly - that are from larry - should be accepted." 
     75    sudo iptalbes -A INPUT -s 10.104.100.167 -d 10.104.100.168 -p tcp -m tcp --dport 8023 -j ACCEPT   
    6176}}}
    6277
    63 === Setting Iptables ===
     78The command above can be broken down as follows:
    6479
    65 In Debian Lenny there are two ways to change iptables.  You can edit the tables interactively at the shell using the iptables command and then save them with iptables-save command, or you can edit the file where the tables are stored directly and then apply them.    When you set do this, it's important to nt
     80||-A INPUT||says the rule should be appended to Chain INPUT||
     81||-s 10.104.100.167||the source of the packet is the machine found at 10.104.100.167||
     82||-d 10.104.100.168||means the destination machine is 10.104.100.168||
     83||-p tcp||means the rule is concerned with the tcp protocol (so a udp packet coming in on port 8023 wouldn't be addressed by this rule)||
     84||-m tcp||this means load the rules that match the listed protocol, in this case tcp.  Although this isn't strictly necessary since we've specified the protocol with the -p option, it's considered good form to use it, and our ISP does use it, so we should too.||
     85||--dport 8023||This rule concerns itself with packets destined for port 8023.||
     86||-j ACCEPT||if a packet matches the rules above, then "jump" to the ACCEPT command, in other words, accept the packet.||
     87
     88If you ran the above command, it would immediately add a rule to the iptables