Very Advanced Sysadmins Only!!!
Make sure you DOCUMENT every tiny little change you make!!!
OK, I am done yelling at you, but seriously, this is where we have made many mistakes, and they can be very serious, either locking people out or blowing our security wide open. These configurations are very powerful and thus very dangerous.
The iptables is part of the standard Red-Hat / Linux firewall. The usual way to configure this is through the guis, but BEWARE, we have a customized setup, so don't use the ****ing guis. The reason for the customization is that this allows us to use netgroups, i.e. we pull lists of system names from the LDAP database and allow certain services to every system in that list. The other reason not to use the gui is that it is too easy to think you know what you are doing, while you have no clue.
The LDAP Connection
To get a set of rules from LDAP we have a custom Perl script that gets these rules from the LDAP tables called "Netgroup". In this area of LDAP are a number of tables of object class "NisNetgroup" (and "top"), which contain a set of "NisNetgroupTriple" entries. For each table the scripts /usr/local/bin/netgroups2iptables.pl will make a corresponding iptables table. To see the resulting rules added to the iptables, type:
/usr/local/bin/netgroup2iptables.pl -v -dump
For the proper functioning of our iptables, it is thus pertinent (that is a fancy word for very important) that the LDAP server is running and the connection to LDAP can be made. After the iptables are started the init system then needs to execute:
(On some systems this will be called "iptables-npg").
For each line in each table you will then get a new iptables rule that states:
iptables -A accept-@table_name -s system-ip -j ACCEPT
Now, because we are dealing with iptables, we can also write a line that adds a jump ( -j) to another table. This is done by adding a non-blank memberNisNetgroup entry to our LDAP table. This will cause a jump to that set of rules instead of to the "ACCEPT" rule. So the entry "memberNisNetgroup specials" in the table "cn=supersystems" makes an iptable rule:
iptables -A accept-@supersystems -j accept-@specials
This allows us to chain the tables, so you can make one table with all the servers and then write a rule to allow, say NFS access and MySQL access to all the systems that are servers without needing to re-list all the systems that are considered servers.
Note: that the BACKUP SYSTEM makes use of the same tables! So adding a new "server" causes the backup system to try to connect to that server as well.
Note: that the scripts won't work if the Perl LDAP.pm module is not installed. Install it with:
yum install perl-LDAP # OR if this is not available: perl -MCPAN -e 'install Net::LDAP'
The normal configuration for the iptables is in /etc/sysconfig/iptables and /etc/sysconfig/iptables-config. The startup script is /etc/init.d/iptables
We have customizations as follows:
- /etc/init.d/iptables-netgroups This script runs /usr/local/bin/netgroup2iptables.pl (On some systems this is called /etc/init.d/iptables-npg a bit confusing, to be fixed.)
- /usr/local/bin/netgroup2iptables.pl A perl scripts which pulls the netgroup information from the LDAP. It uses "iptables-save" (system command) to get the current iptables.
- /etc/sysconfig/iptables-npg The iptables that the iptables-config points to for the data.
So new rules for allowing access must be set in /etc/sysconfig/iptables-npg and you must never use the "iptables save" command!
Iptables is an increadibly powerful system that allows filtering and forwarding and all sorts of fancy stuff. With sufficient smarts it can be used to create tunnels and forwarding and all sorts of weirdness. Since we don't want weirdness, please control yourself and don't write rules that say forward all the http traffic on pepper to einstein! Don't write a rule that allows your machine to get to everything on a server either!
The basic functionality of iptables is contained in it's tables, which contains a "chain" of rules. This means that it flows through the chain until it hits a rule that matches, at which point it jumps (-j) to the next chain. The main chain in INPUT, which is where everything starts, and ACCEPT or REJECT where things end.
For our systems
For our servers, we completely trust the backend network, so accept everything. You need to use "ifconfig" to make sure which is which!
NOTE: Change the lines for the appropriate interface: -A INPUT -i eth0 -j ACCEPT -A INPUT -i ! eth0 -s 10.0.0.0/24 -j REJECT --reject-with icmp-net-prohibited
To be eth0 or eth1 whatever nic is looking at the FARM NET.
Note that this system has a vulnerability: The iptables-npg can become corrupted on an /etc/init.d/iptables save command.