wiki:sysadminiptables

Version 7 (modified by risard, 13 years ago) (diff)

--

Networking Issue

Quick Start


Overview
Working with iptables in Debian
Necessary Ports - Database Server
Necessary Ports - Open-ils Server
Testing port configuration connection


Overview

Network security is an important aspect of any distributed database, particularly one in which patron data is kept. Like any computer these days, Linux servers come with a configurable firewall referred to generically as iptables. The following is a description of the ports that need to be opened via iptables for Evergreen to work. Iptables is a very complicated topic that can take you into the depths of packet routing and network configuration. What follows is a simple primer that will allow you to get work done on Evergreen. For more information see References section. The assumption here is a two server (database and oils) configuration.

NOTE: Our ISP keeps our production servers behind a substantial firewall and coordination with them is essential. Any ports you open via iptables, also need to be opened in their firewall. This is done by contacting support after you've configured iptalbes.


Working with iptables in Debian

Viewing the current configuration

    sudo iptables -L

or

    sudo iptables -L -n

The latter command will generate exactly the same list as the former except the -n (numbers) switch renders the list of addresses in dot decimal form. Without -n the entries in the list are shown as hostnames. So with with iptables -L you see something like this:

    target     prot opt source        destination
    ACCEPT     tcp  --  larry.isp.ca  curly.isp.ca dpt:ssh
    ACCEPT     tcp  --  moe.isp.ca  curly.isp.ca tcp dpt:ssh
    ACCEPT     tcp  --  larry.isp.ca curly.isp.ca tcp dpt:2301
    ACCEPT     tcp  --  moe.isp.ca  curly.isp.ca tcp dpt:2301

The same output with the -n option:

    target     prot     source               destination
    ACCEPT     tcp  --  10.104.94.4         10.104.100.168     tcp dpt:22
    ACCEPT     tcp  --  10.104.94.8         10.104.100.168     tcp dpt:22
    ACCEPT     tcp  --  10.104.94.4         10.104.100.168     tcp dpt:2301
    ACCEPT     tcp  --  10.104.94.8         10.104.100.168     tcp dpt:2301

NOTE: that the command requires the use of sudo to use.

The output of either command will group the lines above into three sections called "chains". Each chain represents inbound packets (Chain INPUT), outbound packets (Chain OUTPUT) and packets that are to be passed transparently to other machines (Chain FORWARD). The only one you should concern yourself with, and the only one being used on this page or in these examples is Chain INPUT. We're only concerned with being able to accept packets from other machines.

You will also notice several special lines that have "state" listed as their destination, likely with ESTABLISHED, RELATED or something similar. These are special entries and should never be modified by you. In addition, you will see a lot of entries for "dpt:22" or "dpt:ssh". Never change these without consultations from your fellow Conifer admins! These entries allow for ssh access between the various servers and allow you to ssh into the machines. If you remove them, you will not be able to interact remotely with the server anymore! If this happens, you need to call our isp, and have them fix it.

The output is easier to read from right to left. dpt = "destination port" so

    target     prot opt source        destination
    ACCEPT     tcp  --  larry.isp.ca  curly.isp.ca dpt:ssh

reads

    "packets destined for the tcp ssh port on curly - that are from larry - should be accepted."  

Setting Iptables

In Debian Lenny there are two ways to change iptables. You can edit the tables interactively at the shell using the iptables command and then save them with iptables-save command, or you can edit the file where the tables are stored directly and then apply them. When you set do this, it's important to nt