Not sure if this is in the right forum or not. We are running a clustered A-I-O deployment, where we have N+1 Morpheus appliances, and each appliance runs the full stack (Elastic, Percona, Rabbit, Tomcat, et al).
Is it recommended to use FirewallD on these nodes? Or iptables?
I want to restrict certain services (ports), to only the N+1 cluster members, so that people cannot scan these appliances and see the ports for Percona, Elastic, et al.
Does anyone have a suggestion on whether iptables or FirewallD should be used, and, even better, a configuration that I can use as a basis for configuring my own system properly?
You can use firewalld or iptables. We don’t provide the configuration commands to configure your firewall, but I have provided some guidance below when using iptables.
All of the required ports and access requirements can be found in the documentation here:
If you are using iptables and you want to block all incoming traffic and only allow the required ports for Morpheus, you should follow the procedure below:
1.Set the default INPUT chain policy to DROP
On install, Morpheus configures the default iptables INPUT chain policy to ACCEPT and applies an allow rule for ssh.
If you run iptables -L immediately after installing Morpheus and running the initial reconfigure, you will see these rules.
If you want to DROP incoming traffic apart from the ports you have specified as iptables rues, then you need to run the following command:
morpheus-ctl firewall-enable-blocking
This command will update the /etc/morpheus/ipv4-rules.conf file and configure the default INPUT chain policy to DROP.
2.Configure the required firewall rules for your use case.
3.Save the iptables configuration with the following command:
iptables-save > /etc/morpheus/ipv4-rules.conf
4.The next time you run a morpheus-ctl reconfigure, it will preserve your configured iptables rules.
I think I will probably go out with some iptables rules, since FirewallD is a bit more complicated to use when the rules get more complicated (you need to use direct, et al).
So you’re saying that once I get my rules up, I should save them in that file, and run a morpheus-ctl reconfigure?
I didn’t want to load iptables rules, and have my rules fight with whatever Morpheus is doing.
Correct, once you have set up the rules, run the iptables-save command and save the rules to /etc/morpheus/ipv4-rules.conf. If you don’t save the rules, the next time you run a morpheus-ctl reconfigure, the rules you have added will not be applied.
You don’t need to run a morpheus-ctl reconfigure after saving the rules, but doing so will confirm that your rules have saved successfully.
I drafted up some iptables rules. I will test those out in our lab and make sure nothing gets blocked with those rules. If I run a morpheus-ctl reconfigure, I have to stop Morpheus first, right?