To restrict the ports, follow below steps:
Note: Perform on all nodes
- Create a file name post, use the command:
vi /usr/local/horizon/conf/iptables/post
- Add the below content in the file created in step1:
POST_tcp_all=""
POST_tcp_vapp="5432 9999 9000 9898 9694"
POST_udp_all=""
POST_udp_vapp=""
- Provide the required permissions to enable.post file, use the commands:
touch /usr/local/horizon/conf/flags/enable.post
chmod 644 /usr/local/horizon/conf/flags/enable.post
- Ensure the file has read/write access, use the command:
Example:
# ls -lat usr/local/horizon/conf/flags/enable.post
-rw-r--r-- 1 root root 0 Apr 28 18:25 /usr/local/horizon/conf/flags/enable.post
- Open the file iptables.conf,using the command:
vi /usr/local/horizon/conf/iptables.cfg
Replace the line:
IPTABLE_tcp_all=" 5432 9999 9000 9898 9694 443 80"
with
IPTABLE_tcp_all="443 80"
- Open the file ipRedirect.sh,using the command:
vi /usr/local/horizon/scripts/ipRedirect.sh
Replace the below line:
IP=`/sbin/ip -o -f inet addr show dev ${IFC} | awk ‘{ print $4 }‘| sed -e ‘s/\/.*$//’`
with
IP=`/sbin/ip -o -f inet addr show dev ${IFC} | grep -v secondary | awk '{ print $4 }'| sed -e 's/\/.*$//'`
- Run the command to update the iptables:
/usr/local/horizon/scripts/updateiptables.hzn
- To verify if the ports are open only to the required cluster nodes:
iptables -L -n --line-numbers | grep :<port>
Example:
#iptables -L -n --line-numbers | grep :5432
15 ACCEPT tcp -- Node1 0.0.0.0/0 tcp dpt:5432 ctstate NEW,ESTABLISHED
16 ACCEPT tcp -- Node2 0.0.0.0/0 tcp dpt:5432 ctstate NEW,ESTABLISHED
17 ACCEPT tcp -- Node3 0.0.0.0/0 tcp dpt:5432 ctstate NEW,ESTABLISHED
15 ACCEPT tcp -- Node1 0.0.0.0/0 tcp spt:5432 ctstate ESTABLISHED
16 ACCEPT tcp -- Node2 0.0.0.0/0 tcp spt:5432 ctstate ESTABLISHED
17 ACCEPT tcp -- Node3 0.0.0.0/0 tcp spt:5432 ctstate ESTABLISHED
Note: Use this command for the other ports to confirm the same.