TUSK Firewall Defaults
TUSK servers only need a few services exposed to the local network, or the network at large. They are:
- SSH port 22/tcp - This provides shell access for system management. Access should be restricted to only internal hosts or networks: TUSK servers that are exposed to the Internet should not leave SSH exposed to anything but local administrative accounts and servers, to protect them.
- HTTP port 80/tcp - Basic web service port. This is typically accessible to the entire local network or to the Internet at large for public sites.
- HTTPS port 443/tcp - Encrypted web service port. This handles secured web traffic, and should be exposed to the same entire local network or the Internet at large.
- MySQL port 3306/tcp - Database access for TUSK. This should allow access only to the TUSK web servers and to designated MySQL slaves for backup or failover access.
- DO NOT DIRECTLY EXPOSE MYSQL TO THE INTERNET AT LARGE.
- NFS - TUSK servers may be NFS clients of a NAS or storage server, to allow the TUSK hosts to share uploaded data. This storage should be only accessible from the TUSK servers.
- DO NOT DIRECTLY EXPOSE NFS TO THE INTERNET AT LARGE.
No other ports are required. Optional ports that may be useful for monitoring include:
- SNMP port 161/udp - Local monitoring tools like MRTG or rrdtool may need this, but the service should be restricted to password protected access only from local hosts or local VLANS.
- NRPE port 5666/tcp - Nagios or Icinga can use NRPE for running local Nagios checks or shell commands. Configure with caution: the "nrpe.cfg" file can also be used to restrict NRPE access.
Custom MySQL IPtables Firewall
- Create a customized, root-owned /etc/sysconfig/iptables.mysql file with something like this content:
-A INPUT -i eth0 -p tcp -s 10.250.159.0/25 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -s 184.108.40.206/16 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
- The 10.250.159.0/25 rule restricts access to the front end ports of the Summer St. VLAN 168.
- The 220.127.116.11/16 rule restricts access to the internal Tufts VLAN's, without limit.
- Seriously consider refining these rules to allow only designated hosts for production environments.
- Run the "system-config" tool to add this rule.
- The tool is "system-config-securitylevel" on RHEL or CentOS 5.
- The tool is "system-config-firewall-tui" on RHEL or CentOS 6.
- Select to customize the firewall.
- Keep passing through the screens until asked to "Use custom rules"
- Add a new rule, if necessary.
- The "Protocol Type" is "tcp".
- The "Firewall Table" is "filter".
- The "File" is "/etc/sysconfig/iptables.mysql".
- Make sure that a way to log directly into the console exists, firewall mistakes can interrupt services.
- Restart iptables.
/sbin/chkconfig --list iptables
/sbin/service iptables restart
- Test the rules.