| Version 5 (modified by , 14 years ago) (diff) |
|---|
Networking Issue
Quick Start
Overview
Working with iptables in Debian
Necessary Ports - Database Server
Necessary Ports - Open-ils Server
Testing port configuration connection
Overview
Network security is an important aspect of any distributed database, particularly one in which patron data is kept. Like any computer these days, Linux servers come with a configurable firewall referred to generically as iptables. The following is a description of the ports that need to be opened via iptables for Evergreen to work. Iptables is a very complicated topic that can take you into the depths of packet routing and network configuration. What follows is a simple primer that will allow you to get work done on Evergreen. For more information see References section. The assumption here is a two server (database and oils) configuration.
NOTE: Our ISP keeps our production servers behind a substantial firewall and coordination with them is essential. Any ports you open via iptables, also need to be opened in their firewall. This is done by contacting support after you've configured iptalbes.
Working with iptables in Debian
Viewing the current configuration
sudo iptables -L
or
sudo iptables -L -n
The latter command will generate exactly the same list as the former except the -n (numbers) switch renders the list of addresses in dot decimal form. Without -n the entries in the list are shown as hostnames. So with with iptables -L you see something like this:
target prot opt source destination
ACCEPT tcp -- larry.isp.ca curly.isp.ca dpt:ssh
ACCEPT tcp -- moe.isp.ca curly.isp.ca tcp dpt:ssh
ACCEPT tcp -- larry.isp.ca curly.isp.ca tcp dpt:2301
ACCEPT tcp -- moe.isp.ca curly.isp.ca tcp dpt:2301
The same output with the -n option:
target prot source destination
ACCEPT tcp -- 10.104.94.4 10.104.100.168 tcp dpt:22
ACCEPT tcp -- 10.104.94.8 10.104.100.168 tcp dpt:22
ACCEPT tcp -- 10.104.94.4 10.104.100.168 tcp dpt:2301
ACCEPT tcp -- 10.104.94.8 10.104.100.168 tcp dpt:2301
NOTE: that the command requires the use of sudo to use.
The output of either command will group the lines above into three sections called "chains". Each chain represents inbound packets (Chain INPUT), outbound packets (Chain OUTPUT) and packets that are to be passed transparently to other machines (Chain FORWARD). The only one you should concern yourself with, and the only one being used on this page or in these examples is Chain INPUT. We're only concerned with being able to accept packets from other machines.
You will also notice several special lines that have "state" listed as their destination, likely with ESTABLISHED, RELATED or something similar. These are special entries and should never be modified by you. In addition, you will see a lot of entries for "dpt:22" or "dpt:ssh". Never change these without consultations from your fellow Conifer admins''' These entries allow for ssh between the various machines and allow you to ssh into the machines. If you remove them, you will not be able to interact remotely with the server anymore! If this happens, you need to call our isp, and have them fix it.
The output is easier to read from right to left. dpt = "destination port" so the first reads:
"packets destined for port 22 on curly.isp.ca - that are from larry.isp.ca - should be accepted."
In Debian Lenny there are two ways to change iptables. You can issue commands at the shell prompt using the iptables command. When you do this, it's important to nt
