wiki:sysadminiptables

Version 9 (modified by risard, 13 years ago) (diff)

--

Networking Issue

Quick Reference


Overview
Reading iptables
Setting iptables
Necessary Ports - Database Server
Necessary Ports - Open-ils Server
Testing port configuration connection


Overview

Network security is an important aspect of any distributed database, particularly one in which patron data is kept. Like any computer these days, Linux servers come with a configurable firewall referred to generically as iptables. The following is a description of the ports that need to be opened via iptables for Evergreen to work. Iptables is a very complicated topic that can take you into the darkest depths of packet routing and network configuration. What follows is a simple primer that will allow you to get work done on Evergreen. For more information see References section. The assumption here is a two server (database and oils) configuration. For security reasons, I've changed the ip addresses and host names in the examples below.

NOTE: Our ISP keeps our production servers behind a substantial firewall and coordination with them is essential. Any ports you open via iptables, also need to be opened in their firewall. This is done by contacting support after you've configured iptalbes.


Reading iptables

    sudo iptables -L

or

    sudo iptables -L -n

The latter command will generate exactly the same list as the former except the -n (numbers) switch renders the list of addresses in dot decimal form. Without -n the entries in the list are shown as hostnames. So with with iptables -L you see something like this:

    target     prot opt source        destination
    ACCEPT     tcp  --  larry.isp.ca  curly.isp.ca dpt:ssh
    ACCEPT     tcp  --  moe.isp.ca  curly.isp.ca tcp dpt:ssh
    ACCEPT     tcp  --  larry.isp.ca curly.isp.ca tcp dpt:2301
    ACCEPT     tcp  --  moe.isp.ca  curly.isp.ca tcp dpt:2301

The same output with the -n option:

    target     prot     source               destination
    ACCEPT     tcp  --  10.104.94.4         10.104.100.168     tcp dpt:22
    ACCEPT     tcp  --  10.104.94.8         10.104.100.168     tcp dpt:22
    ACCEPT     tcp  --  10.104.94.4         10.104.100.168     tcp dpt:2301
    ACCEPT     tcp  --  10.104.94.8         10.104.100.168     tcp dpt:2301

NOTE: that the command requires the use of sudo to use.

The output of either command will group the lines above into three sections called "chains". Each chain represents inbound packets (Chain INPUT), outbound packets (Chain OUTPUT) and packets that are to be passed transparently to other machines (Chain FORWARD). The only one you should concern yourself with, and the only one being used on this page or in these examples is Chain INPUT. We're only concerned with being able to accept packets from other machines.

You will also notice several special lines that have "state" listed as their destination, likely with ESTABLISHED, RELATED or something similar. These are special entries and should never be modified by you. In addition, you will see a lot of entries for "dpt:22" or "dpt:ssh". Never change these without consultations from your fellow Conifer admins! These entries allow for ssh access between the various servers and allow you to ssh into the machines. If you remove them, you will not be able to interact remotely with the server anymore! If this happens, you need to call our isp, and have them fix it.

The output is easier to read from right to left. dpt = "destination port" so

    target     prot opt source        destination
    ACCEPT     tcp  --  larry.isp.ca  curly.isp.ca dpt:ssh

reads

"packets destined for the tcp ssh port on curly - that are from larry - should be accepted."


Setting Iptables

In Debian Lenny there are two ways to change iptables. You can edit the tables interactively at the shell using the iptables command and then save them with iptables-save command, or you can edit the file where the tables are stored directly and then apply them.

NOTE: that when you use the iptables command, you're changes are live.

the iptables command

The iptables syntax is as follows:

    sudo iptalbes -A INPUT -s 10.104.100.167 -d 10.104.100.168 -p tcp -m tcp --dport 8023 -j ACCEPT    

The command above can be broken down as follows:

-A INPUTsays the rule should be appended to Chain INPUT
-s 10.104.100.167the source of the packet is the machine found at 10.104.100.167
-d 10.104.100.168means the destination machine is 10.104.100.168
-p tcpmeans the rule is concerned with the tcp protocol (so a udp packet coming in on port 8023 wouldn't be addressed by this rule)
-m tcpthis means load the rules that match the listed protocol, in this case tcp. Although this isn't strictly necessary since we've specified the protocol with the -p option, it's considered good form to use it, and our ISP does use it, so we should too.
--dport 8023This rule concerns itself with packets destined for port 8023.
-j ACCEPTif a packet matches the rules above, then "jump" to the ACCEPT command, in other words, accept the packet.

If you ran the above command, it would immediately add a rule to the iptables INPUT chain. If you ran iptalbes -L, you'd see your new rule in the list.

Although the above looks complicated, it should be noted that the only parts you should ever be changing are the -s, -d and --dport options. If you feel the need to change anything else, you should ask your fellow Evergreen Admins about it first!

Once you've edited the rules to your liking, you need to save them to a file. You do this with the following command:

    sudo iptables-save > /<path>/<firewall_file>

This will save your changes to the file listed on the right.

Editing the file

We keep our iptables rules in a configuration file. For the name and location, ask your fellow Evergreen admins. When you open the file, it simply looks like a list of iptable commands, just like the ones you'd type at the command line. You can open the file with:

    sudo vim firewall_file

Once opened, you can just add a line to the file and save it. It's important to remember that the