Firewalling

From SOFTICE

1 First line of defense: tcpwrappers
2 Setting up iptables
3 Firewalling rules

First line of defense: tcpwrappers

As a first step to lock down the master node, we allow only traffic initiated from on-campus systems or systems remotely accessing the university VPN. This is easily achieved by locking down completely the /etc/hosts.deny

ALL:ALL: DENY

and then selectively allowing systems in the /etc/hosts.allow

ALL: 131.247.168.
ALL: 192.168.

Read this make sure you add the subnet containing your cluster nodes or you'll have a surprise next time they try to use tftp to load their kernel / initrd / vnfs capsule from the masternode

[edit]

Setting up iptables

Before to use the iptables make sure that your kernel is compiled with the appropriate options;

cd /usr/src/linux
make menuconfig

check in the following sections
- networking
- networking options
- Network Packet Filtering (replaces IPchains)
- Core netfilter configuration
  - check netfilter xtables support
- IP: netfilter configuration
  - I checked most of the options under IP tables support

Then recompile your modules with

 
make modules
make modules_install

You can then load the necessary modules

modprobe ip_tables iptable_filter

You can then make this change permanent by having the above mentioned modules loaded at boot time;


softice:/etc# cat modules
# /etc/modules: kernel modules to load at boot time.
#
# This file should contain the names of kernel modules that are
# to be loaded at boot time, one per line.  Comments begin with
# a "#", and everything on the line after them are ignored.

ide-cd
ide-disk
ide-generic
psmouse
sd_mod
ip_tables
iptable_filter
softice:/etc#

[edit]

Firewalling rules

We used iptables to set up the master node firewall. Refer to http://www.debian-administration.org/articles/445 for an article explaining how to have our iptable rules survive a reboot using the /etc/network/if-up.d/ scripts systems instead of adding a /etc/init.d/ script for that (not executed each time the interface comes up).

Matt Rideout authored the following rules to restrict access to most of our services to on-campus machines or VPN users;

#!/bin/sh

# set the path to iptables
IPT="/sbin/iptables"

# flush existing iptables rules
$IPT -F

# set default policies - allow all outgoing traffic, and deny all incoming traffic
$IPT -P OUTPUT ACCEPT
$IPT -P INPUT DROP

# allow all incoming traffic to port 80
$IPT -A INPUT -p TCP --dport 80 -j ACCEPT

# allow all incoming traffic from USF subnets
$IPT -A INPUT -s 131.247.168.0/23 -j ACCEPT # supernet of 131.247.168.0/24 and 131.247.169.0/24
$IPT -A INPUT -s 131.247.170.0/24 -j ACCEPT

# allow incoming packets for connections that are already established, or related to an established connection
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Retrieved from "http://softice.lakeland.usf.edu/wiki/index.php/Firewalling"

Categories: Debian | System Administration