Difference between revisions of "Iptables"

From Nuclear Physics Group Documentation Pages
Jump to navigationJump to search
Line 1: Line 1:
The iptables is part of the standard Red-Hat / Linux firewall. The usual way to configure this is through the guis, but BEWARE, we have a customized setup.
+
= Iptables =
  
The reason for the customization is that this allows us to use netgroups, i.e. we pull lists of system names from the LDAP database and allow certain services to every system in that list.
+
<font size="+2" color="red"><b>Very Advanced Sysadmins Only!!!</b></font> <br><br>
 +
<font size="+1" color="green"><b>Make sure you DOCUMENT every tiny little change you make!!!</b></font><br>
 +
OK, I am done yelling at you, but seriously, this is where we have made many mistakes, and they can be very serious, either locking people out or blowing our
 +
security wide open. These configurations are very powerful and thus very dangerous.
 +
 
 +
= Introduction =
 +
 
 +
The iptables is part of the standard Red-Hat / Linux firewall. The usual way to configure this is through the guis, but BEWARE, we have a customized setup, '''so don't use the ****ing guis'''. The reason for the customization is that this allows us to use netgroups, i.e. we pull lists of system names from the LDAP database and allow certain services to every system in that list. The other reason not to use the gui is that it is too easy to think you know what you are doing, while you have no clue.
 +
 
 +
== The LDAP Connection ==
 +
 
 +
To get a set of rules from LDAP we have a custom Perl script that gets these rules from the LDAP tables called "Netgroup". In this area of LDAP are a number of tables of object class "NisNetgroup" (and "top"), which contain a set of "NisNetgroupTriple" entries. For each table the scripts /usr/local/bin/netgroups2iptables.pl will make a corresponding iptables table. To see the resulting rules added to the iptables, type:
 +
/usr/local/bin/netgroup2iptables.pl -v -dump
 +
For the proper functioning of our iptables, it is thus '''pertinent''' (that is a fancy word for very important) that the LDAP server is running and the connection to LDAP can be made. After the iptables are started the init system then needs to execute:
 +
/etc/init.d/iptables-netgroups start
 +
(On some systems this will be called "iptables-npg").
 +
 
 +
For each line in each table you will then get a new iptables rule that states:
 +
iptables -A accept-@table_name -s system-ip -j ACCEPT
 +
 
 +
 
 +
 
 +
Note that because we are
  
 
== Configuration ==
 
== Configuration ==

Revision as of 12:41, 4 June 2009

Iptables

Very Advanced Sysadmins Only!!!

Make sure you DOCUMENT every tiny little change you make!!!
OK, I am done yelling at you, but seriously, this is where we have made many mistakes, and they can be very serious, either locking people out or blowing our security wide open. These configurations are very powerful and thus very dangerous.

Introduction

The iptables is part of the standard Red-Hat / Linux firewall. The usual way to configure this is through the guis, but BEWARE, we have a customized setup, so don't use the ****ing guis. The reason for the customization is that this allows us to use netgroups, i.e. we pull lists of system names from the LDAP database and allow certain services to every system in that list. The other reason not to use the gui is that it is too easy to think you know what you are doing, while you have no clue.

The LDAP Connection

To get a set of rules from LDAP we have a custom Perl script that gets these rules from the LDAP tables called "Netgroup". In this area of LDAP are a number of tables of object class "NisNetgroup" (and "top"), which contain a set of "NisNetgroupTriple" entries. For each table the scripts /usr/local/bin/netgroups2iptables.pl will make a corresponding iptables table. To see the resulting rules added to the iptables, type:

/usr/local/bin/netgroup2iptables.pl -v -dump

For the proper functioning of our iptables, it is thus pertinent (that is a fancy word for very important) that the LDAP server is running and the connection to LDAP can be made. After the iptables are started the init system then needs to execute:

/etc/init.d/iptables-netgroups start

(On some systems this will be called "iptables-npg").

For each line in each table you will then get a new iptables rule that states:

iptables -A accept-@table_name -s system-ip -j ACCEPT


Note that because we are

Configuration

The normal configuration for the iptables is in /etc/sysconfig/iptables and /etc/sysconfig/iptables-config. The startup script is /etc/init.d/iptables

We have customizations as follows:

  • /etc/init.d/iptables-netgroups This script runs /usr/local/bin/netgroup2iptables.pl
  • /usr/local/bin/netgroup2iptables.pl A perl scripts which pulls the netgroup information from the LDAP. It uses "iptables-save" (system command) to get the current iptables.
  • /etc/sysconfig/iptables-npg The iptables that the iptables-config points to for the data.
NOTE: Change the lines:
-A INPUT -i eth0 -j ACCEPT
-A INPUT -i ! eth1 -s 10.0.0.0/24 -j REJECT --reject-with icmp-net-prohibited
To be eth0 or eth1 whatever nic is looking at the FARM NET.

Note that this system has a vulnerability: The iptables-npg can become corrupted on an /etc/init.d/iptables save command.

Note that the scripts won't work if the Perl LDAP.pm module is not installed. Install it with:

 yum install perl-LDAP
 # OR if this is not available:
 perl -MCPAN -e 'install Net::LDAP'

Details

These should be added. Specifically, who what where why things are blocked would be nice. It'd be nice to see if it's possible to move to a simpler setup — one that doesn't require LDAP bootstrapping ugliness.