TUSK Firewall Defaults

TUSK servers only need a few services exposed to the local network, or the network at large. They are:

No other ports are required. Optional ports that may be useful for monitoring include:

Custom MySQL IPtables Firewall

  1. Create a customized, root-owned /etc/sysconfig/iptables.mysql file with something like this content:
    -A INPUT -i eth0 -p tcp -s 10.250.159.0/25 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
    -A INPUT -i eth0 -p tcp -s 130.64.0.0/16 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
    
    1. The 10.250.159.0/25 rule restricts access to the front end ports of the Summer St. VLAN 168.
    2. The 130.64.0.0/16 rule restricts access to the internal Tufts VLAN's, without limit.
    3. Seriously consider refining these rules to allow only designated hosts for production environments.
  2. Run the "system-config" tool to add this rule.
    1. The tool is "system-config-securitylevel" on RHEL or CentOS 5.
    2. The tool is "system-config-firewall-tui" on RHEL or CentOS 6.
    3. Select to customize the firewall.
      1. Keep passing through the screens until asked to "Use custom rules"
      2. Add a new rule, if necessary.
        1. The "Protocol Type" is "tcp".
        2. The "Firewall Table" is "filter".
        3. The "File" is "/etc/sysconfig/iptables.mysql".
  3. Make sure that a way to log directly into the console exists, firewall mistakes can interrupt services.
  4. Restart iptables.
    /sbin/chkconfig --list iptables
    /sbin/service iptables restart
    
  5. Test the rules.