-
Notifications
You must be signed in to change notification settings - Fork 140
/
config_firewall.html.md.erb
118 lines (86 loc) · 5.08 KB
/
config_firewall.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
---
title: Preparing Your Firewall
owner: Ops Manager
---
This topic describes how to configure your firewall and how to verify that component VMs correctly resolve DNS entries behind your firewall.
## <a id='firewall_configuration'></a> Configure Your Firewall
<%= vars.ops_manager %> and <%= vars.app_runtime_full %> (<%= vars.app_runtime_abbr %>) require the following open TCP ports:
* **25555:** Routes from <%= vars.ops_manager %> VM to the BOSH Director.
* **443:** Routes to HAProxy or, if configured, your own load balancer.
* **80:** Routes to HAProxy or, if configured, your own load balancer.
* **8844:** Routes from <%= vars.ops_manager %> VM to BOSH CredHub.
* **8443:** Routes from <%= vars.ops_manager %> VM to BOSH Director UAA.
* **6868:** Routes to the BOSH Agent.
* **2222:** Necessary for using App SSH. For more information, see [How Diego Runs an App](../concepts/diego/diego-architecture.html#diagram) in _Diego Components and Architecture_.
* **25595:** Routes from the Traffic Controller to the BOSH Director, to enable sending BOSH health metrics to the Firehose.
UDP port 123 must be open if you want to use an external NTP server.
For more information about required ports for additional installed products, see [Network Communication Paths in <%= vars.platform_name %>](https://docs.pivotal.io/ops-manager/<%= product_info['local_product_version'].to_s.sub('.','-') %>/security/networking/index.html#net_commpaths) in _Network Security_.
### <a id='example'></a> Example: Configure Firewall with iptables
The following example procedure uses `iptables` commands to configure a firewall.
<p class="note"><strong>Note:</strong> <code>GATEWAY_EXTERNAL_IP</code> is a placeholder. Replace this value with your <code>PUBLIC_IP</code>.</p>
1. Open `/etc/sysctl.conf`, a file that contains configurations for Linux kernel settings, by running:
```
sudo vi /etc/sysctl.conf
```
1. Add the line `net.ipv4.ip_forward=1` to `/etc/sysctl.conf` and save the file.
1. To remove all existing filtering or Network Address Translation (NAT) rules, run:
```
iptables --flush
iptables --flush -t nat
```
1. Add environment variables to use when creating the IP rules by running:
```
export INTERNAL_NETWORK_RANGE=10.0.0.0/8
export GATEWAY_INTERNAL_IP=10.0.0.1
export GATEWAY_EXTERNAL_IP=203.0.113.242
export VMWARETANZU_IP=10.0.0.2
export HA_PROXY_IP=10.0.0.254
```
1. To configure IP rules for the specified chains, run:
* **FORWARD:**
```
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A FORWARD -o eth1 -j ACCEPT
```
* **POSTROUTING:**
```
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -d $HA_PROXY_IP -s $INTERNAL_NETWORK_RANGE \
-p tcp --dport 80 -j SNAT --to $GATEWAY_INTERNAL_IP
iptables -t nat -A POSTROUTING -d $HA_PROXY_IP -s $INTERNAL_NETWORK_RANGE \
-p tcp --dport 443 -j SNAT --to $GATEWAY_INTERNAL_IP
```
* **PREROUTING:**
```
iptables -t nat -A PREROUTING -d $GATEWAY_EXTERNAL_IP -p tcp --dport \
25555 -j DNAT --to $VMWARETANZU_IP
iptables -t nat -A PREROUTING -d $GATEWAY_EXTERNAL_IP -p tcp --dport \
443 -j DNAT --to $HA_PROXY_IP
iptables -t nat -A PREROUTING -d $GATEWAY_EXTERNAL_IP -p tcp --dport \
80 -j DNAT --to $HA_PROXY_IP
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8443 -j DNAT \
--to $VMWARETANZU_IP:443
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT \
--to $HA_PROXY_IP:80
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8022 -j DNAT \
--to $VMWARETANZU_IP:22
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8080 -j DNAT \
--to $VMWARETANZU_IP:80
```
1. Save the iptables by running:
```
service iptables save
```
For more information about administering IP tables with `iptables`, see the [iptables documentation](http://ipset.netfilter.org/iptables.man.html).
## <a id='DNS_fails'></a> Verify that Component VMs Resolve DNS Entries Behind Your Firewall
When you install <%= vars.platform_name %> in an environment that uses a strong firewall, the firewall might block DNS resolution. For example, if you use xip.io to test your DNS configuration, the tests fail without warning if the firewall prevents <%= vars.app_runtime_abbr %> from accessing `*.xip.io`.
To verify that component VMs can correctly resolve DNS entries:
1. SSH into the <%= vars.ops_manager %> VM.
For more information, see [Log in to the Ops Manager VM with SSH](./trouble-advanced.html#ssh) in _Advanced Troubleshooting with the BOSH CLI_.
1. Run any of the following network administration commands with the IP address of the VM:
* `nslookup`
* `dig`
* `host`
* The appropriate `traceroute` command for your OS
1. Review the output of the command and fix any blocked routes. If the output displays an error message, review the firewall logs to determine which blocked route or routes you need to clear.
1. Repeat steps 1-3 with the BOSH Director VM and the HAProxy VM.