incubator-ambari-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ravindranath Akila <ravindranathak...@gmail.com>
Subject Re: Workaround for disabling iptables and SELinux?
Date Fri, 29 Mar 2013 13:55:40 GMT
Worked for the ambari-server node:
80 to ssh, 8080 since we need to access the web interface, and lo based
rules to allow local communication within the node.

Unlike the rest of the nodes in the cluster, since this node is open to www
(port 22, 8080), it also needs the DoS and other rules I guess, which are
missing below.

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

-A INPUT -s <IP1> -j ACCEPT
-A INPUT -s <IP2> -j ACCEPT
-A INPUT -s <IP3> -j ACCEPT
....
-A INPUT -s <IPN> -j ACCEPT

*-A INPUT -p tcp --dport 22 -j ACCEPT*
*-A INPUT -p tcp --dport 8080 -j ACCEPT*
*-A INPUT -i lo -j ACCEPT*
*-A OUTPUT -o lo -j ACCEPT*
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-P INPUT DROP
-P FORWARD DROP

COMMIT


R. A.

On Fri, Mar 29, 2013 at 9:29 PM, Ravindranath Akila <
ravindranathakila@gmail.com> wrote:

> Hey Paulo,
>   Thanks your response helped me a lot. So what I did is, enabled firewall
> logs and checked what requests were getting rejected and dropped. Later I
> figured it is too much of configuration(so many ports!). So what I did was,
> allowed all machines on the cluster to communicate with each other without
> interference and reject all outside traffic. The following rules on the
> /etc/sysconfig/iptables worked:
>
>
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
>
> -A INPUT -s <IP1> -j ACCEPT
> -A INPUT -s <IP2> -j ACCEPT
> -A INPUT -s <IP3> -j ACCEPT
> ....
> -A INPUT -s <IPN> -j ACCEPT
> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> -P INPUT DROP
> -P FORWARD DROP
>
>
> COMMIT
>
> where <IP1> <IP2> <IP3> <IPN> are the ips of the machines in
the cluster.
>
> However, the node which contains ambari-server, and nothing else, does not
> like this. So part of the security concerns is taken cared of, as all the
> rest of the cluster nodes is open only to each other. But how I goes about
> with the ambari-server node, I need to figure out. Any idea why this might
> be the case? DB Port needs to be open maybe?
>
>
>
>
> On Wed, Mar 27, 2013 at 6:55 PM, Paulo Ricardo Paz Vital <
> pvital@linux.vnet.ibm.com> wrote:
>
>> Hello Ravindranath,
>>
>> About what I could understand of Ambari's design, iptables can block some
>> ports used between server and a client (agent nodes) during the client's
>> registration step, as well the heartbeat communication during the execution
>> of cluster. Also, there is the port of the web UI provided by ambari-web on
>> server, and there are some portds (I never remember the numbers) that
>> Nagios uses to provide some components' web UI on clients.
>>
>> I guess you can create iptables rules for all these ports on both server
>> and client sides. May be the ambari-server and ambari-agent can check the
>> iptables rules and create them if not running. I was talking with a friend
>> yesterday regarding this "missing feature" - my intention is not create a
>> flame here guys :-D !!!
>>
>> Now, regarding the SELinux I don't know the restriction it imposes on
>> Ambari, so I can't help you on this - I must study this part :-D.
>>
>> I hope this help you!
>> Regards, Paulo.
>>
>>
>> On 03/27/2013 12:18 AM, Ravindranath Akila wrote:
>>
>>> Actually, how does iptables and SELinux interfere with Ambari? If I know
>>> that, maybe I can look for a workaround. Thanks in advance.
>>>
>>> Yours,
>>>    Ravindranath Akila...
>>>
>>> On Wed, Mar 27, 2013 at 1:53 AM, Ravindranath Akila
>>> <ravindranathakila@gmail.com <mailto:ravindranathakila@**gmail.com<ravindranathakila@gmail.com>>>
>>> wrote:
>>>
>>>     I am tempted to do that or go for a physical firewall on Rackspace
>>>     for 25k per month :-)
>>>     My exposure to shell scripting is bad :-( Where can I grab the code?
>>>
>>>     Thanks!
>>>
>>>     R. A.
>>>
>>>     On 26 Mar 2013 01:44, "Mahadev Konar" <mahadev@hortonworks.com
>>>     <mailto:mahadev@hortonworks.**com <mahadev@hortonworks.com>>>
wrote:
>>>
>>>         Hi Ravindra,
>>>           Currently there isnt but it should be a minor change to the
>>>         scripts. Do you want to file a jira and maybe upload a patch? :)
>>>         We could switch it off with a flag option.
>>>
>>>         thanks
>>>         mahadev
>>>
>>>         On Mon, Mar 25, 2013 at 6:18 AM, Ravindranath Akila
>>>         <ravindranathakila@gmail.com
>>>         <mailto:ravindranathakila@**gmail.com<ravindranathakila@gmail.com>>>
>>> wrote:
>>>
>>>             Hello,
>>>                Is there a workaround for disabling iptables and SELinux?
>>>             I'm exploring the options of securing the cluster in the
>>>             cloud without a physical firewall. Any suggestions would be
>>>             great!
>>>
>>>             Thanks in advance :-)
>>>
>>>             Yours,
>>>                Ravindranath Akila...
>>>
>>>             --
>>>             <http://www.ILikePlaces.com>
>>>             *Find out on I Like Places* <http://www.ILikePlaces.com>
>>>             *http://www.ILikePlaces.com*
>>>
>>>
>>>
>>>
>>>
>>> --
>>> <http://www.ILikePlaces.com>
>>> *Find out on I Like Places* <http://www.ILikePlaces.com>
>>> *http://www.ILikePlaces.com*
>>>
>>
>>
>> --
>> Paulo Ricardo Paz Vital, Staff Software Engineer
>> Linux Technology Center, IBM Systems & Technology Group
>> ------------------------------**-------------------------
>> IBM
>> Rodovia SP101, km9 - ZIP: 13186-900
>> Hortolândia, SP - Brazil
>> Phone: +55-19-2132-2336
>> e-mail: pvital@linux.vnet.ibm.com
>> http://www.ibm.com/linux/ltc
>>
>>
>
>
> --
> <http://www.ILikePlaces.com>
> *Find out on I Like Places* <http://www.ILikePlaces.com>
> *http://www.ILikePlaces.com* <http://www.ILikePlaces.com>
>



-- 
<http://www.ILikePlaces.com>
*Find out on I Like Places* <http://www.ILikePlaces.com>
*http://www.ILikePlaces.com* <http://www.ILikePlaces.com>

Mime
View raw message