Francis,
Thank you very much.
That was simpler than I thought. I'm also trying to set this up for
having clients
in a VDMZ, so I assume that the interface between to coorporate network and
the VDMZ will look like the client and server openings in IPTABLES. If
I can
get that, our security people will implement for us.
1. What do you do, if anything about the "service ports"?
2. You don't need an opening for portmapper (111)? Is that just for
clients?
3. On my clients, I have the following entries (this works):
-m state --state NEW -m tcp -p tcp --dport 7937 -j ACCEPT
-m state --state NEW -m tcp -p tcp --dport 7938 -j ACCEPT
-m state --state NEW -m tcp -p tcp --dport 7939 -j ACCEPT
-m state --state NEW -m tcp -p tcp --dport 111 -j ACCEPT
-m state --state NEW -m udp -p udp --dport 111 -j ACCEPT
4. Any idea what a storage node would need?
Again, thanks very much. I assume you're running some version >= 7.3.
We're running 7.4.
Matt Temple
=========================================
Francis Swasey wrote:
On 6/15/09 9:52 AM, Matt Temple wrote:
Dear Networker group,
Is there anyone reading this list who is running Linux
on a Networker Server and who is also running IPTABLES,
who would be willing to share his/her IPTABLES
settings.
Uhm... yes... what do you need to know?
I have the following rules:
-m tcp -p tcp -s <client_network> --dport 7937:9936 -j ACCEPT
-m udp -p udp -s <client_network> --dport 7938 -j ACCEPT
and in general you will always need:
-m state --state ESTABLISHED,RELATED -j ACCEPT
I picked 7937:9936 because that was the output of the nsrports command
on my server. If you have run nsrports and adjusted the Service
ports, you should adjust the iptables rule to match.
--
=============================================================
Matthew Temple Tel: 617/632-2597
Director, Research Computing Fax: 617/582-7820
Dana-Farber Cancer Institute mht AT research.dfci.harvard DOT edu
44 Binney Street, LW250 http://research.dfci.harvard.edu
Boston, MA 02115 Choice is the Choice!
To sign off this list, send email to listserv AT listserv.temple DOT edu and type
"signoff networker" in the body of the email. Please write to networker-request
AT listserv.temple DOT edu if you have any problems with this list. You can access the
archives at http://listserv.temple.edu/archives/networker.html or
via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER
|