Sunhux G
2015-06-18 13:57:14 UTC
I have many tenants in our cloud using RHEL 5.x/6.x & Solaris x86:
some tenants enable/use iptables while some disable/don't;
similarly for Solaris x86 tenants.
I have a common service which I need to permit rules in iptables
(for RHEL VMs) regardless of whether the tenant is currently
using iptables or not (ie just leave the rules there & if one day
the tenant decides to enable/use iptables, the rules to allow the
common service will have been there).
Requirements:
==========
a) permit a rule to allow Tcp4120 from current tenant VM to 172.21.3.a
b) permit a rule to allow Tcp4118 from 172.21.3.a to the current tenant VM
By "current tenant VM", it needs to be applied on all the network
interfaces.
Are the commands below correct?
# /sbin/iptables -A RH-Firewall-1-OUTPUT -p tcp --dport 4120 -d 172.21.a.b
-j ACCEPT
# /sbin/iptables -A RH-Firewall-1-INPUT -p tcp --dport 4118 -d localhost -j
ACCEPT
# /sbin/service iptables save <== this creates /etc/sysconfig/iptables if
it's absent?
******************************************************************************************
Sorry this is off-topic for Solaris iptables but appreciate anyone who can
help*:*
I refer to examples in links below but I'm still confused:
http://docs.oracle.com/cd/E23824_01/html/821-1453/ipfilter-admin-2.html
http://docs.oracle.com/cd/E23824_01/html/821-1453/eubbd.html
Q1:
So do I just add the following lines to the top (not the bottom, right? )
of /etc/ipf/ipf.conf ?
pass in log (quick) on "all_interfaces" proto tcp from 172.21.a.b to
"all_interfaces" port = 4118 keep state
pass out log (quick) on "all_interfaces" proto tcp from "all_interfaces"
to 172.21.a.b port = 4120 keep state
Q2:
What's the the purpose of "quick" in the above rules? What's the
difference if it's absent or
present?
Q3:
As our Solaris x86 VMs has about four interfaces, can someone substitute
"all_interfaces" in the
above rules with actual global value: I reckon there must be an actual
Solaris implementation
value that refers to "all interfaces"; if there's none, let me know so
that I can repeat it four times
for all the four interfaces
Q4:
What's the purpose of "keep state"? is it needed in my case?
Q5:
if ipf.conf is not present in /etc/ipf folder, does this mean ipfilter (as
given by 'svcs -a |grep -i ipfilter') is offline?
Q6:
if it's offline & I just create the absent ipf.conf file anyway so that one
day if ipfilter is onlined/used,
the rules will already be there? If ipfilter is offline, no harm creating
ipf.conf, right?
Did I miss out anything in my assumptions?
some tenants enable/use iptables while some disable/don't;
similarly for Solaris x86 tenants.
I have a common service which I need to permit rules in iptables
(for RHEL VMs) regardless of whether the tenant is currently
using iptables or not (ie just leave the rules there & if one day
the tenant decides to enable/use iptables, the rules to allow the
common service will have been there).
Requirements:
==========
a) permit a rule to allow Tcp4120 from current tenant VM to 172.21.3.a
b) permit a rule to allow Tcp4118 from 172.21.3.a to the current tenant VM
By "current tenant VM", it needs to be applied on all the network
interfaces.
Are the commands below correct?
# /sbin/iptables -A RH-Firewall-1-OUTPUT -p tcp --dport 4120 -d 172.21.a.b
-j ACCEPT
# /sbin/iptables -A RH-Firewall-1-INPUT -p tcp --dport 4118 -d localhost -j
ACCEPT
# /sbin/service iptables save <== this creates /etc/sysconfig/iptables if
it's absent?
******************************************************************************************
Sorry this is off-topic for Solaris iptables but appreciate anyone who can
help*:*
I refer to examples in links below but I'm still confused:
http://docs.oracle.com/cd/E23824_01/html/821-1453/ipfilter-admin-2.html
http://docs.oracle.com/cd/E23824_01/html/821-1453/eubbd.html
Q1:
So do I just add the following lines to the top (not the bottom, right? )
of /etc/ipf/ipf.conf ?
pass in log (quick) on "all_interfaces" proto tcp from 172.21.a.b to
"all_interfaces" port = 4118 keep state
pass out log (quick) on "all_interfaces" proto tcp from "all_interfaces"
to 172.21.a.b port = 4120 keep state
Q2:
What's the the purpose of "quick" in the above rules? What's the
difference if it's absent or
present?
Q3:
As our Solaris x86 VMs has about four interfaces, can someone substitute
"all_interfaces" in the
above rules with actual global value: I reckon there must be an actual
Solaris implementation
value that refers to "all interfaces"; if there's none, let me know so
that I can repeat it four times
for all the four interfaces
Q4:
What's the purpose of "keep state"? is it needed in my case?
Q5:
if ipf.conf is not present in /etc/ipf folder, does this mean ipfilter (as
given by 'svcs -a |grep -i ipfilter') is offline?
Q6:
if it's offline & I just create the absent ipf.conf file anyway so that one
day if ipfilter is onlined/used,
the rules will already be there? If ipfilter is offline, no harm creating
ipf.conf, right?
Did I miss out anything in my assumptions?
--
redhat-list mailing list
unsubscribe mailto:redhat-list-***@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
redhat-list mailing list
unsubscribe mailto:redhat-list-***@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list