SwarmNFS 2.x - Access to Elasticsearch (IPTables)

When Swarm components, such as SwarmNFS servers, run on machines that have no direct access to the private network, you must make your Elasticsearch nodes accessible on the public network. Those ES nodes and their data must be protected, and IPtables is one method to secure the ES nodes from unwanted access.

These are the types of access needed to the Elasticsearch nodes:

  • Content Gateway, CSN, Swarm Storage nodes, other ES nodesinternal, private network (control via ACCEPT on the private interface)
  • SwarmNFS servers — public network (specify which IPs on the public interface)
  • Elasticsearch management — allow port 22 access on the public network for ES node management

Public Access via IPTables

Below are examples of how IPTables can be defined to allow SwarmNFS servers to access Elasticsearch nodes. These examples were derived from wiki.centos.org/HowTos/Network/IPTables. The example assumes these interfaces on ES nodes:

  • local: lo
  • public: eth0
  • private: eth1
# Flush all current rules from IPTables:
#
iptables -F
#
# Allow SSH connections on TCP port 22 (for working on remote servers via SSH, to prevent getting locking out):
#
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
#
# Accept TCP packets on destination port 22 (SSH) from private LAN:
#
iptables -A INPUT -p tcp -s 192.168.0.0/24 --dport 22 -j ACCEPT
#
# Set default policies for INPUT, FORWARD, and OUTPUT chains
#
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# 
# Allow full access on internal private network:
#
iptables -A INPUT -i eth1 -j ACCEPT
#
# Accept packets from trusted IP addresses, changing IP address as appropriate:
#
iptables -A INPUT -s 192.168.0.4 -j ACCEPT
#
# Accept packets from a range of addresses using standard slash notation:
#
iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT
#
# Accept packets from a range of addresses using using a subnet mask: 
#
iptables -A INPUT -s 192.168.0.0/255.255.255.0 -j ACCEPT
#
# Using the list of MAC addresses for the trusted systems, prevent IP address spoofing:
#
iptables -A INPUT -s 192.168.0.4 -m mac --mac-source 00:50:8D:FD:E6:32 -i eth0 -p tcp --dport 9200 -j ACCEPT
#
# Set access for localhost:
#
iptables -A INPUT -i lo -j ACCEPT
#
# Accept packets belonging to established and related connections:
#
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# Save settings:
#
/sbin/service iptables save
#
# List rules:
#
iptables -L -v

© DataCore Software Corporation. · https://www.datacore.com · All rights reserved.