To permenantly enable selected web access to the cluster from other machines on the public network, follow the steps below. Apache's access control directives will provide protection for the most sensitive parts of the cluster web site, however some effort will be necessary to make effective use of them.
HTTP (web access protocol) is a clear-text channel into your cluster. Although the Apache webserver is mature and well tested, security holes in the PHP engine have been found and exploited. Opening web access to the outside world by following the instructions below will make your cluster more prone to malicious attacks and breakins. |
To open port 80 (the 'www' service) for the public network of frontend, execute:
# rocks remove firewall host=localhost rulename=A40-WWW-PUBLIC-LAN # rocks add firewall host=localhost network=public protocol=tcp service=www chain=INPUT \ action=ACCEPT flags="-m state --state NEW --source 0.0.0.0/0.0.0.0" \ rulename=A40-WWW-PUBLIC-NEW |
Then we can see the what the resulting firewall rules will look like:
# rocks report host firewall localhost <file name="/etc/sysconfig/iptables" perms="500"> *nat # MASQUERADE (host) : -A POSTROUTING -o eth1 -j MASQUERADE COMMIT *filter :INPUT ACCEPT [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] # A10-REJECT-411-TCP (host) : -A INPUT -p tcp --dport 372 --sport 1024:65535 -j REJECT # A10-REJECT-411-UDP (host) : -A INPUT -p udp --dport 372 --sport 1024:65535 -j REJECT # A15-ALL-LOCAL (global) : -A INPUT -i lo -j ACCEPT # A20-ALL-PRIVATE (global) : -A INPUT -i eth0 -j ACCEPT # A20-SSH-PUBLIC (global) : -A INPUT -i eth1 -p tcp --dport ssh -m state --state NEW -j ACCEPT # A30-RELATED-PUBLIC (global) : -A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT # A40-HTTPS-PUBLIC-LAN (host) : -A INPUT -i eth1 -p tcp --dport https -m state --state NEW --source &Kickstart_PublicNetwork;/&Kickstart_PublicNetmask; -j ACCEPT # A40-WWW-PUBLIC-NEW (host) : -A INPUT -i eth1 -p tcp --dport www -m state --state NEW --source 0.0.0.0/0.0.0.0 -j ACCEPT # A50-FORWARD-RELATED (host) : -A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT # A60-FORWARD (host) : -A FORWARD -i eth0 -j ACCEPT # R10-GANGLIA-UDP (host) : block ganglia traffic from non-private interfaces -A INPUT -p udp --dport 8649 -j REJECT # R20-MYSQL-TCP (host) : block mysql traffic from non-private interfaces -A INPUT -p tcp --dport 3306 -j REJECT # R30-FOUNDATION-MYSQL (host) : block foundation mysql traffic from non-private interfaces -A INPUT -p tcp --dport 40000 -j REJECT # R900-PRIVILEGED-TCP (global) : -A INPUT -i eth1 -p tcp --dport 0:1023 -j REJECT # R900-PRIVILEGED-UDP (global) : -A INPUT -i eth1 -p udp --dport 0:1023 -j REJECT COMMIT </file> |
In the above example, eth0 is associated with the private network and eth1 is associated with the public network.
Notice the line: "-A INPUT -i eth1 -p tcp --dport www -m state --state NEW --source 0.0.0.0/0.0.0.0 -j ACCEPT ". This is the line in the firewall configuration that will allow web traffic from any source to flow in and out of the frontend. This line was added to your firewall configuration with the "rocks add firewall host=localhost" command that you executed.
Also, notice that the original line was: "-A INPUT -i eth1 -p tcp --dport www -m state --state NEW --source &Kickstart_PublicNetwork;/&Kickstart_PublicNetmask; -j ACCEPT". This default Rocks firewall rule allows web traffic from your local public subnet to flow in and out of the frontend.
Now apply the configuration to the host:
# rocks sync host firewall localhost |
The host will now accept web traffic on its public interface.
Test your changes by pointing a web browser to http://my.cluster.org/, where "my.cluster.org" is the DNS name of your frontend machine.
If you cannot connect to this address, the problem is most likely in your network connectivity between your web browser and the cluster. Check that you can ping the frontend machine from the machine running the web browser, that you can ssh into it, etc. |