Iptables

From Nuclear Physics Group Documentation Pages
Jump to navigationJump to search

The iptables is part of the standard Red-Hat / Linux firewall. The usual way to configure this is through the guis, but BEWARE, we have a customized setup.

The reason for the customization is that this allows us to use netgroups, i.e. we pull lists of system names from the LDAP database and allow certain services to every system in that list.

Configuration

The normal configuration for the iptables is in /etc/sysconfig/iptables and /etc/sysconfig/iptables-config. The startup script is /etc/init.d/iptables

We have customizations as follows:

  • /etc/init.d/iptables-netgroups This script runs /usr/local/bin/netgroup2iptables.pl
  • /usr/local/bin/netgroup2iptables.pl A perl scripts which pulls the netgroup information from the LDAP. It uses "iptables-save" (system command) to get the current iptables.
  • /etc/sysconfig/iptables-npg The iptables that the iptables-config points to for the data.
NOTE: Change the lines:
-A INPUT -i eth0 -j ACCEPT
-A INPUT -i ! eth1 -s 10.0.0.0/24 -j REJECT --reject-with icmp-net-prohibited
To be eth0 or eth1 whatever nic is looking at the FARM NET.

Note that this system has a vulnerability: The iptables-npg can become corrupted on an /etc/init.d/iptables save command.

Note that the scripts won't work if the Perl LDAP.pm module is not installed. Install it with:

 yum install perl-LDAP
 # OR if this is not available:
 perl -MCPAN -e 'install Net::LDAP'

Details

These should be added. Specifically, who what where why things are blocked would be nice. It'd be nice to see if it's possible to move to a simpler setup — one that doesn't require LDAP bootstrapping ugliness.