Friday, 11 March 2016

My (very) basic guide to iptables and jde

I’ve got my web servers firewalled and everything’d – as they are going to be public facing.  I’ve implemented a bunch of security groups to only allow certain ports connecting, but I’m belt and braces, so I’m also firewalling.

I use the standard iptables functionality, I do things simply too.  I edit the /etc/sysconfig/iptables file to do my configuration, as I have not really worked out the sequence of things. (yes, sequencing is important, you must ALLOW then REJECT).  If (in a linear sense) you reject before you allow, nothing is going to get through.

A sample file from my web server is below.  Note that I’m restricting inbound traffic to this server.

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p tcp --dport 9000 -j ACCEPT
-A INPUT -p tcp --dport 9001 -j ACCEPT
-A INPUT -p tcp --dport 9002 -j ACCEPT
-A INPUT -p tcp --dport 7001 -j ACCEPT
-A INPUT -p tcp --dport 14501 -j ACCEPT
-A INPUT -p tcp --dport 14502 -j ACCEPT
-A INPUT -p tcp --dport 5556 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited

COMMIT

You can then save this off, do what you want with it.  This does AdminServer, nodeManager and my JD Edwards instances.  It also allows the server manager traffic.  Note that I could further restrict the source and destination, but I’m not going to do that for now.

service iptables start

service iptables stop

You can list the contents with iptables –L (but the details are not great, as the ports if known are listed with text).

[root@vltweb01 software]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:cslistener
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:etlservicemgr
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:dynamid
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:afs3-callback
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:14501
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:14502
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:freeciv
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

 

Note that all of these need to match your security groups

image

I need security groups because I have a public facing VPC and a private VPC, so I control the traffic between them.

iptables-save > /tmp/iptables.config

Enterprise Server

This is slightly more complicated.  iptables config is below, note the range for jdenet.

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p tcp --dport 14501 -j ACCEPT
-A INPUT -p tcp --dport 14502 -j ACCEPT
-A INPUT -p tcp --dport 6016:6030 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

Note that in JDE.INI, I enabled predefinedPorts.

[JDENET]
FilePacketBufferSize=32768
internalQueueTimeOut=30
kernelDelay=0
krnlCoreDump=0
maxFixedDataPackets=2000
maxIPCQueueMsgs=400
maxLenFixedData=16384
maxLenInlineData=4096
maxNumSocketMsgQueue=800
netBroadcastAddress=INADDR_BROADCAST
netChildCheck=5
netCoreDump=0
netShutdownInterval=5
serviceNameListen=6016
serviceNameConnect=6016
maxNetProcesses=10
maxNetConnections=800
maxKernelProcesses=60
maxKernelRanges=34
netTrace=0
enablePredefinedPorts=1

This means that the ports are allocated from 6016

[root@vltent01 ~]# netstat -on |grep 60
tcp        0      0 10.10.20.122:6021           10.10.30.211:33907          ESTABLISHED keepalive (7002.54/0/0)
tcp        0      0 10.10.20.122:6017           10.10.20.122:34597          ESTABLISHED keepalive (5527.98/0/0)
tcp        0      0 10.10.20.122:6022           10.10.30.211:36543          ESTABLISHED keepalive (7002.54/0/0)
tcp        0      0 ::ffff:10.10.20.122:34597   ::ffff:10.10.20.122:6017    ESTABLISHED off (0.00/0/0)
unix  3      [ ]         DGRAM                    9260

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Extending JDE to generative AI