IPTables / Firewall set up for clusters

Upon creation, most Rackspace Cloud Servers have a completely open firewall policy that will allow any computer into any port on your machine.  Linux uses IPTables to firewall connections into and out of your server but needs a fair amount of configuration to get it working and for it to stay working on a reboot.

In this article we will cover basic saving and loading of IPTables rules in Debian/Ubuntu on shutdown and boot up as well as common rules that go with our other guides.

Loading and saving rules

Saving rules on demand

iptables-save > /etc/iptables.rules

Loading rules from a file

iptables-restore < /etc/iptables.rules

Loading rules on boot

One of the most efficient and safe ways of accomplishing this is through the "pre-up" command of the network interfaces loader.  This means that the rules will be applied before the network connection is available, whereas adding to init.d could leave you with an open firewall for a few seconds.

Edit your interfaces file:

nano /etc/network/interfaces

Then in the "iface eth0" section add the following:

pre-up iptables-restore < /etc/iptables.rules

Saving rules on shutdown

With the standard set up, all your rules will be wiped as soon as your box reboots, meaning you are either locked out or your server is open to the world.  Luckily setting rules to automatically save on shutdown is easy, bear in mind however, that if you make a mistake in your rules, you will not be able to reboot to allow access again.

Edit your interfaces file:

nano /etc/network/interfaces

Then in the "iface eth0" section add the following:

post-down iptables-save > /etc/iptables.rules

Common IPTables rules

Allow SSH from your IP

iptables -A INPUT -s 1.2.3.4/32 -p tcp -m tcp --dport 22 -j ACCEPT

Replace 1.2.3.4/32 with your ip and range you want to allow, as mentioned in the block all rule, these are processed in the order you enter them, so it is generally a good idea to enter this rule before you do any others

Allow web traffic from anywhere

iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

Allow HTTPS traffic

iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

Allow MySQL standard connections from an IP

iptables -A INPUT -s 1.2.3.4/32 -p tcp -m tcp --dport 3306 -j ACCEPT

Allow MySQL Cluster traffic into a node

iptables -A INPUT -s 1.2.3.4/32 -p tcp -m tcp --dport 2202 -j ACCEPT 

Allow MySQL Cluster traffic into a management server

iptables -A INPUT -s 1.2.3.4/32 -p tcp -m tcp --dport 1186 -j ACCEPT

Allow all localhost/loopback requests

iptables -A INPUT -i lo -j ACCEPT

Allow Ping

iptables -A INPUT -p icmp -j ACCEPT

Allow all currently connected, as well as related packets

iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

Block all traffic

iptables -A INPUT -j DROP

The order that you enter the rules is important, so make sure this rule is entered last, otherwise all connections will match this and not look at your other rules

Full IPTables examples

These examples relate to other articles on this blog, and reference IP address examples in those.  Where you see 1.2.3.4, replace this with the outgoing IP address of your internet connection if you need remote access locked down to your local machine, otherwise you can ignore these lines.

MySQL Cluster Node

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -s 1.2.3.4/32 -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 10.0.0.1/32 -p tcp -m tcp --dport 2202 -j ACCEPT
iptables -A INPUT -s 10.0.0.2/32 -p tcp -m tcp --dport 2202 -j ACCEPT
iptables -A INPUT -s 10.0.0.3/32 -p tcp -m tcp --dport 2202 -j ACCEPT
iptables -A INPUT -s 10.0.0.4/32 -p tcp -m tcp --dport 2202 -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -j DROP

MySQL Cluster Management server (with MySQL server running also)

The IP address 10.0.0.5 is an example of a SQL client you want to connect to your cluster.

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -s 1.2.3.4/32 -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 10.0.0.1/32 -p tcp -m tcp --dport 1186 -j ACCEPT
iptables -A INPUT -s 10.0.0.2/32 -p tcp -m tcp --dport 1186 -j ACCEPT
iptables -A INPUT -s 10.0.0.3/32 -p tcp -m tcp --dport 1186 -j ACCEPT
iptables -A INPUT -s 10.0.0.4/32 -p tcp -m tcp --dport 1186 -j ACCEPT
iptables -A INPUT -s 10.0.0.5/32 -p tcp -m tcp --dport 3306 -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -j DROP