Fedora Cluster‎ > ‎

IPTables and firewall

In addition to hardening SSH access, we also need to restrict the ports that are allowed for communication in and outside the computer. We do so using the iptables service from Fedora. This is a program that monitors the access from other computers to our server and viceversa.

We need to enable ports for the following services
  • SSH access (port 22)
  • GlusterFS server (ports 24007 and 24008)
  • GlusterFS nodes (49152 and on, one for each node)
  • GlusterFS configuration (111 tcp and udp)
  • PBS communications (15000 and on, one for each node)
The result is two files. The first one is /etc/sysconfig/iptables, that should look as follows
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 24007:24008 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 49152:49156 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 111 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 111 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 15000:15004 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 15000:15004 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

The second file is a twin of this one, /etc/sysconfig/ip6tables, and contains more or less the same
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 546 -d fe80::/64 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 24007:24008 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 49152:49156 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 111 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 111 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 15000:15004 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 15000:15004 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
COMMIT

After editing these files and ensuring that they have the right permissions
# chmod go-rxw /etc/iptables /etc/ip6tables
we can restart the services
# service iptables start
# chkconfig iptables on
You can now check which ports are open by issuing
# netstat -a

Comments