Difference between revisions of "OpenHPC: Configure Firewalld"

From Define Wiki
Jump to navigation Jump to search
 
(4 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 +
== Setup a trusted internal zone ==
 +
<syntaxhighlight>
 +
[root@head scratch]# cat setup_firewall.sh
 +
#!/bin/bash
 +
 +
sms_eth_internal=eno2
 +
sms_eth_external=eno1
 +
enable_infiniband=true
 +
 +
################################################################################
 +
# Configure the firewall
 +
################################################################################
 +
# Ensure the firewall is active (some VM images don't include it)
 +
yum -y install firewalld
 +
systemctl enable firewalld.service
 +
systemctl start firewalld.service
 +
 +
# Allow all traffic on the internal cluster network interface
 +
firewall-cmd --permanent --zone=trusted --change-interface=${sms_eth_internal}
 +
 +
# Perform NAT for traffic going out the public interface
 +
firewall-cmd --permanent --zone=public --add-masquerade
 +
sysctl -w net.ipv4.ip_forward=1
 +
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.d/ip_forward.conf
 +
 +
# Be restrictive on the external network interface
 +
firewall-cmd --permanent --zone=public --change-interface=${sms_eth_external}
 +
 +
# If there is an InfiniBand fabric, trust its traffic
 +
if [[ "${enable_infiniband}" == "true" ]]; then
 +
    firewall-cmd --permanent --zone=trusted --change-interface=ib0
 +
fi
 +
 +
firewall-cmd --permanent --zone=public --add-service=ssh
 +
 +
# Reload rules for them to take effect
 +
firewall-cmd --reload
 +
</syntaxhighlight>
 +
 +
== OLD CONFIG ==
 +
 
== Configuring Firewalld to forward traffic between Internal and External Interfaces ==
 
== Configuring Firewalld to forward traffic between Internal and External Interfaces ==
  
 
<syntaxhighlight>
 
<syntaxhighlight>
firewall-cmd --zone=external --add-interface=eno2 --permanent
+
firewall-cmd --zone=external --add-interface=enp1s0f1 --permanent
firewall-cmd --zone=internal --add-interface=eno1 --permanent
+
firewall-cmd --zone=internal --add-interface=enp1s0f0 --permanent
  
 
firewall-cmd --zone=external --add-masquerade --permanent
 
firewall-cmd --zone=external --add-masquerade --permanent
firewall-cmd --permanent --direct --passthrough ipv4 -t nat -I POSTROUTING -o eno2 -j MASQUERADE -s 10.10.10.0/24
+
firewall-cmd --permanent --direct --passthrough ipv4 -t nat -I POSTROUTING -o enp1s0f1 -j MASQUERADE
 
firewall-cmd --permanent --zone=internal --add-service=dhcp
 
firewall-cmd --permanent --zone=internal --add-service=dhcp
 
firewall-cmd --permanent --zone=internal --add-service=tftp
 
firewall-cmd --permanent --zone=internal --add-service=tftp
Line 12: Line 53:
 
firewall-cmd --permanent --zone=internal --add-service=http
 
firewall-cmd --permanent --zone=internal --add-service=http
 
firewall-cmd --permanent --zone=internal --add-service=nfs
 
firewall-cmd --permanent --zone=internal --add-service=nfs
firewall-cmd --permanent --zone=internal --add-servive=ssh
 
 
firewall-cmd --permanent --zone=internal --add-service=ssh
 
firewall-cmd --permanent --zone=internal --add-service=ssh
 +
firewall-cmd --permanent --zone=internal --add-service=mountd
 +
firewall-cmd --permanent --zone=internal --add-service=rpc-bind
 
firewall-cmd --complete-reload
 
firewall-cmd --complete-reload
 
firewall-cmd --list-all-zones
 
firewall-cmd --list-all-zones
Line 31: Line 73:
 
firewall-cmd --permanent --zone=internal --add-port=8662/tcp
 
firewall-cmd --permanent --zone=internal --add-port=8662/tcp
 
firewall-cmd --permanent --zone=internal --add-port=8663/tcp
 
firewall-cmd --permanent --zone=internal --add-port=8663/tcp
firewall-cmd --permanent --zone=internal --add-port=8660/u
+
firewall-cmd --permanent --zone=internal --add-port=8660/udp
 
firewall-cmd --permanent --zone=internal --add-port=8661/udp
 
firewall-cmd --permanent --zone=internal --add-port=8661/udp
 
firewall-cmd --permanent --zone=internal --add-port=8662/udp
 
firewall-cmd --permanent --zone=internal --add-port=8662/udp

Latest revision as of 22:12, 8 November 2016

Setup a trusted internal zone

[root@head scratch]# cat setup_firewall.sh 
#!/bin/bash

sms_eth_internal=eno2
sms_eth_external=eno1
enable_infiniband=true

################################################################################
# Configure the firewall
################################################################################
# Ensure the firewall is active (some VM images don't include it)
yum -y install firewalld
systemctl enable firewalld.service
systemctl start firewalld.service
 
# Allow all traffic on the internal cluster network interface
firewall-cmd --permanent --zone=trusted --change-interface=${sms_eth_internal}
 
# Perform NAT for traffic going out the public interface
firewall-cmd --permanent --zone=public --add-masquerade
sysctl -w net.ipv4.ip_forward=1
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.d/ip_forward.conf
 
# Be restrictive on the external network interface
firewall-cmd --permanent --zone=public --change-interface=${sms_eth_external}
 
# If there is an InfiniBand fabric, trust its traffic
if [[ "${enable_infiniband}" == "true" ]]; then
    firewall-cmd --permanent --zone=trusted --change-interface=ib0
fi

firewall-cmd --permanent --zone=public --add-service=ssh

# Reload rules for them to take effect
firewall-cmd --reload

OLD CONFIG

Configuring Firewalld to forward traffic between Internal and External Interfaces

firewall-cmd --zone=external --add-interface=enp1s0f1 --permanent
firewall-cmd --zone=internal --add-interface=enp1s0f0 --permanent

firewall-cmd --zone=external --add-masquerade --permanent
firewall-cmd --permanent --direct --passthrough ipv4 -t nat -I POSTROUTING -o enp1s0f1 -j MASQUERADE
firewall-cmd --permanent --zone=internal --add-service=dhcp
firewall-cmd --permanent --zone=internal --add-service=tftp
firewall-cmd --permanent --zone=internal --add-service=dns
firewall-cmd --permanent --zone=internal --add-service=http
firewall-cmd --permanent --zone=internal --add-service=nfs
firewall-cmd --permanent --zone=internal --add-service=ssh
firewall-cmd --permanent --zone=internal --add-service=mountd
firewall-cmd --permanent --zone=internal --add-service=rpc-bind
firewall-cmd --complete-reload
firewall-cmd --list-all-zones

Add ports to the internal firewall to allow functionality such as SLURM, NFS and Ganglia

firewall-cmd --permanent --zone=internal --add-port=6817/tcp
firewall-cmd --permanent --zone=internal --add-port=6817/udp
firewall-cmd --permanent --zone=internal --add-port=6818/tcp
firewall-cmd --permanent --zone=internal --add-port=6818/udp
firewall-cmd --permanent --zone=external --add-service=http
firewall-cmd --permanent --zone=external --add-service=https
firewall-cmd --permanent --zone=internal --add-port=8660/tcp
firewall-cmd --permanent --zone=internal --add-port=8661/tcp
firewall-cmd --permanent --zone=internal --add-port=8662/tcp
firewall-cmd --permanent --zone=internal --add-port=8663/tcp
firewall-cmd --permanent --zone=internal --add-port=8660/udp
firewall-cmd --permanent --zone=internal --add-port=8661/udp
firewall-cmd --permanent --zone=internal --add-port=8662/udp
firewall-cmd --permanent --zone=internal --add-port=8663/udp
firewall-cmd --permanent --zone=internal --add-port=8651/udp
firewall-cmd --permanent --zone=internal --add-port=8651/tcp
systemctl restart firewalld
Retrieved from "http://wiki.define-technology.com/mediawiki-1.35.0/index.php?title=OpenHPC:_Configure_Firewalld&oldid=17991"