Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Server Operation

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 23rd June 2006, 05:31
P Lao P Lao is offline
Junior Member
 
Join Date: Jun 2006
Posts: 12
Thanks: 0
Thanked 0 Times in 0 Posts
Default How to harden a ldirector?

Hi,
I use high availability and load balancing with firewall marks, and I would like to use my ldirectors as firewall and harden them as much as I can.
I have tried to add firewall rules with iptables. I could add simple rules like:
iptables -A INPUT -s 0/0 -d 0/0 -p icmp -j DROP
to block pings, for example.

But what bothers me is that on my ldirectors, the default policy in my iptables is ACCEPT.
And when I try to change the default policy to DROP, it obviously interfers with the HA/load balancing setting, and the web site is no longer accessible, even if I add rules that would not be a problem for a server behind a firewall, but without HA/load balancing, like port forwarding for example (port forwarding is done by the HA setting now).

So what can be done to harden a ldirector? Can I set my policies to DROP and add some specific rules so that HA/load balancing still works? What are the minimum rules that a ldirector needs to work properly?

Thanks in advance for any advice.

PL
Reply With Quote
Sponsored Links
  #2  
Old 24th June 2006, 13:37
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,741 Times in 2,575 Posts
Default

Did you have a look at these tutorials?
http://www.howtoforge.com/linux_iptables_sarge
http://www.howtoforge.com/custom_iptables_firewall
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #3  
Old 25th June 2006, 13:40
P Lao P Lao is offline
Junior Member
 
Join Date: Jun 2006
Posts: 12
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Thanks for your answer,
Not those indeed (because I had a firewall OK without ldirector before and I tried to understand what needs to be open for a ldirector to work) but right away I am going to ...
Reply With Quote
  #4  
Old 28th June 2006, 16:22
P Lao P Lao is offline
Junior Member
 
Join Date: Jun 2006
Posts: 12
Thanks: 0
Thanked 0 Times in 0 Posts
Default

I think that you answered incidentally in the post "High Availability (Load Balancing) behind a firewall" indeed.
The best way not to try do add firewall rules that could interfere with a ldirector is to put the firewall on the apache nodes.
Of course this is about the case where we want to start from default policies set to DROP. If we start from default policies set to ACCEPT, it's easy to add rules like in the tutorials, even on the ldirectors, but in this case I never know what kind of thing I forgot to drop...
And knowing what an apache node needs to be open is obvious, whereas knowing what a ldirector needs to be open seems much less obvious to me.
PL
Reply With Quote
  #5  
Old 2nd July 2006, 06:00
P Lao P Lao is offline
Junior Member
 
Join Date: Jun 2006
Posts: 12
Thanks: 0
Thanked 0 Times in 0 Posts
 
Default The answer, for the ldirector

Sorry to answer once again my own mail, but I found the answer so I think that might be of interest to other people.
I wasn't pleased not to undestand why my ldirectors got strange and I lost access to my web site when I added standard firewall rules, but with the default to DROP, so I did a few tests, and the problem was (at least) that when there should be a swap between them, the last one didn't stop...which means that it's for heartbeat that something special needs to be open, not for ldirector itself.

The answer is on the HA FAQ:
http://www.linux-ha.org/FAQ#head-909...b4a3963b09b43b

How to use Heartbeat with Ipchains firewall?
To make Heartbeat work with [WWW] Ipchains, you must accept incoming and outgoing traffic on 694 UDP port. Add something like:
/sbin/ipchains -A output -i ethN -p udp -s <source_IP> -d <dest_IP> -j ACCEPT
/sbin/ipchains -A input -i ethN -p udp -s <source_IP> -d <dest_IP> -j ACCEPT

having added those rules on my ldirectors, everything works fine...
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +2. The time now is 18:02.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.