Minicluster:Firewall
The firewall can use IPTables to forward packets between the Internet and the internal network. IPTables is the interface to changing the built in netfilter firewall built into the Linux kernel. We'll also use IPTables to forward SSH requests for the firewall to the head node, making the firewall transparent. (Users of the cluster should interact with the head node, not the firewall.)
For my example (see Network Topology), this means that users will see something like the following. They specify the address of my firewall, eyrie, but then are deposited onto gyrfalcon, my head node.
kwanous@cassowary:~$ ssh eyrie.X.X.edu kwanous@eyrie.X.X.edu's password: Linux gyrfalcon 2.6.18-4-486 #1 Wed May 9 22:23:40 UTC 2007 i686 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. kwanous@gyrfalcon:~$
Most newer version of Debian (etch, sid, lenny) come with iptables installed. However, to make sure iptables installed with the latest version, run
-
apt-get install iptables
Índice
Configuring IPTables
IPTables is generally configured from the command line; it isn't read from a file. To make changes that "stick" after a reboot, a bash script run at startup can be used to enter all the configuration commands. We've already created a script for you - IPTables Script. Download this, save it as local
, place it in /etc/init.d/
, then change its status to be executable (chmod +x local/code>).
Next the file needs to be symlinked to a place where it will be loaded as the firewall is started up. Debian stores the files loaded during runtime in <code>/etc/rc*.d, where * is the runlevel: 0, 1, 2, 3, 4, 5, 6, or S. In Debian, run level 2 is the normal run level. /etc/rcS.d
stores the scripts that are run regardless of the run level. Within a given run level directory, the scripts are run in order of lowest to highest numbered. Symlinks that start with S
are executed with the argument start
, K
(for kill) ones are executed with stop
.
To be the most secure and not allow any slips while the server is started up, the local
script needs to be executed before the networking script. Networking is S40networking
, so S39
will do. Symlink the file with
-
ln -s /etc/init.d/local /etc/rcS.d/S39local
or to /etc/rc2.d/S39local
if you prefer.
Understanding the Iptables Commands
This iptables commands in the script use bash variables set earlier in the script, but they could just as easily be specified in plain within the script. Be sure to change the values to fit your network. $LOCALNET
should be the IP range of the local network specified as a CIDR mask, and $EXTERNIP should be the IP address for the firewall's external interface. $SSHHOST should be the head node's IP address.
Source Network Address Translation (SNAT)
The first iptables command does the SNAT - translating packets generated by computers on the internal interface to go out to the Internet. Any machines seeing packets on the Internet from the cluster will see them as coming from the firewall, and they will respond to the firewall. Rather than accepting the packets themselves, the firewall them forwards them to the inside of the network.
iptables -t nat -A POSTROUTING -d ! ${LOCALNET} -j SNAT --to ${EXTERNIP}
-
-t nat
specifies that this rule's type is network address translation (NAT), aka IP masquerading -
-A POSTROUTING
appends a rule to thePOSTROUTING
chain, meaning it will be processed after all the other possible processing has been done -
-d ! ${LOCALNET}
means any packets destined for an IP not within${LOCALNET}
-
-j SNAT
means to jump to the SNAT rule -
--to ${EXTERNIP}
specifies that any packets leaving will assume the IP${EXTERNIP}
All together in English, this rule says to take any packets not destined for sources within the internal network and send them out to their destination on the outside network after changing the source destination IP address to the firewall's IP.
Destination Network Address Translation (DNAT)
This rule does just the opposite. It takes SSH packets coming in from the Internet and sends them along to the head node.
iptables -t nat -A PREROUTING --dst ${EXTERNIP} -p tcp --dport 22 -j DNAT --to-destination ${SSHHOST}
-
-t nat
specifies network address translation (NAT), aka IP masquerading -
-A PREROUTING
appends a rule to thePREROUTING
chain, meaning that this will take affect before any rules have a chance to work on the packet -
--dst ${EXTERNIP}
specifies original the destination of the packet (to the firewall) -
-p tcp
specifiestcp
as the protocol -
--dport 22
specifies the destination port of the packet -
-j DNAT
means to jump to the rule DNAT to do the destination network address translation
In English, this means to take any packets addressed to the firewall that are TCP packets on port 22 (SSH), change their destination to the head node, and forward them on to the internal network. This could be changed to forward all tcp packets inside by removing --dport 22
, but a firewall that forwards everything inside the internal network wouldn't be much of a firewall.
Starting and Stopping NAT
Since the local
script has been symlinked into the /etc/rcS.d/
or /etc/rc2.d/
directory, it will automatically load at boot. To start and stop the script from the command line, use
/etc/init.d/local start
or
/etc/init.d/local stop
Since this script is responsible for allowing the nodes inside the firewall their Internet access, be advised that stopping this script will kill the Internet connection to any machines behind the firewall.
References
- Kirch, Olaf, and Terry Dawson. Linux Network Administrator's Guide. 2nd ed. Sebastopol, CA: O'Reilly Media, Inc., 2000.
- Brockmeier, Joe "Zonker", Dee-Ann LeBlanc, and Ronald W. McCarty, Jr.. Linux Routing. 1st ed. Indianapolis: New Riders, 2001.
- http://www.5dollarwhitebox.org/wiki/index.php/Howtos_Basic_IPTables
- http://www.linux-mag.com/id/282/