한국어

네트워킹

온누리070 플레이스토어 다운로드
    acrobits softphone
     온누리 070 카카오 프러스 친구추가온누리 070 카카오 프러스 친구추가친추
     카카오톡 채팅 상담 카카오톡 채팅 상담카톡
    
     라인상담
     라인으로 공유

     페북공유

   ◎위챗 : speedseoul


  
     PAYPAL
     
     PRICE
     

pixel.gif

    before pay call 0088 from app


http://www.datastax.com/support-forums/topic/iptables-rules-for-datastax-enterprise




There is no official guide on how to configure iptables with DSE...mostly because there is no one way to do it. There are several different ports that are used for different purposes. Some absolutely must be opened in firewall for internode communication, others are optional depending on the tools that you want to use and from where. I'm afraid that the document you quoted is a little too harsh in its wording on requiring all of those ports open for Cassandra to function.

Note: all the ports listed below are TCP ports.

For internode communication:

You must have port 7000 open between all nodes.

Other ports:

7199, 1024+ (the most annoying line for any firewall admin) - These ports are used to open a JMX connection to the cassandra node. So, if you want to use a JMX client to connect to a cassandra node, you need to open these ports for the source IP address of the machine the client is running on. Examples of JMX clients are: JConsole and nodetool. You could have one trusted machine which you run these commands from and have all of the cassandra nodes open these TCP ports to *only* this trusted machine (or small set of machines).

9160 - This is the thrift client port. It is used by utilities like cqlsh, the cassandra-jdbc driver, pycassa and other thrift clients. This port will have to be opened for communications between machines these clients are operating on and the cassandra nodes.

About how to configure iptables. Here is what I usually do (it may or may not work for your level of paranoia, but it will give you a start):

So, first, a bit on TCP and UDP communications: UDP messages are stateless and do not require any set up of a connection before sending a message. TCP on the other hand are stateful. A connection must be set up before any messages containing data are accepted (by the machine's kernel). So, when setting up a firewall for TCP connections, if you do not let the message that sets up the connection through the firewall, you are effectively disallowing any data packets to the port in question. The packet that sets up the connection is a TCP packet with the SYN bit set, and the ACK, RST, and FIN bits cleared. This packet needs to be stopped in order to stop a connection from being set up. So, for TCP, I usually allow all packets except for ones with the SYN bit set (and ACK, RST, and FIN cleared) whose destination port is not to be opened.

Another note. iptables has several tables and chains in these tables. We will be modifying the default table of: filter and chain: INPUT.

For example to close all ports except for SSH (port 22) to the machine from anywhere, you can use the following rules:

iptables --append INPUT --proto tcp --destination-port 22 --syn -j ACCEPT
iptables --append INPUT --proto tcp --syn -j DROP

It creates the following rules:

# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:sshflags: FIN,SYN,RST,ACK/SYN
DROP       tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/SYN

Note, the default policy is still ACCEPT. This means accept all packets for already connected TCP connections, and drop all new connection requests except for to port 22 from any source IP address. You could also specify a source IP address in your iptables rule to open port 22 (in order to make it more restrictive):

iptables --append INPUT --proto tcp --destination-port 22 --source address[/mask][,...] --syn -j ACCEPT

So, for cassandra, you need to open 7000 on each cassandra node to other nodes in the cluster. You can specify the source by individual machines or by a whole subnet.

조회 수 :
81186
등록일 :
2014.02.26
15:33:32 (*.251.139.148)
엮인글 :
http://www.webs.co.kr/index.php?document_srl=38852&act=trackback&key=4e9
게시글 주소 :
http://www.webs.co.kr/index.php?document_srl=38852
List of Articles
번호 제목 글쓴이 날짜 조회 수sort
» iptables rules tcp drop all port except tcp 22 admin 2014-02-26 81186
92 Centos net install web http admin 2012-03-02 80681
91 Linux 시스템 백업과 복원 admin 2012-02-28 76215
90 한국인/국내기업은 얼마나 Linux Kernel에 기여할까? admin 2012-04-29 75816
89 Linux 시스템 백업과 복원 admin 2013-04-04 73326
88 리눅스 부팅시 시작시 프로그램 명령어 실행하기 (Linux Init script) admin 2017-08-30 72106
87 OpenVPN - Getting started How-To admin 2017-09-20 66401
86 How to install a Debian 9 (Stretch) Minimal Server 데비안 9 설치 admin 2018-06-13 63221
85 useradd Command 리눅스 admin 2017-12-15 62619
84 Which is better, GCC or Clang? admin 2018-06-13 62548
83 윈도우 2003 작업 스케줄러 설정 admin 2011-12-16 46901
82 How To Install Java with Apt-Get on Ubuntu 16.04 oracle java admin 2017-10-13 46890
81 FREE RADIUS 활용및 응용 admin 2013-02-23 46715
80 apt-get install linux-image-2.6.26-2-686-bigmem admin 2015-06-27 46605
79 How to disable IPv6 in Debian Lenny and Squeeze admin 2011-12-29 44778
78 How to disable IPv6 in Debian , 리눅스 아이피설정 admin 2011-12-16 44611
77 [Linux/SSL] 리눅스 서버에 Apache 2 설치 및 SSL 설정하기(mod_ssl, openssl) admin 2012-04-15 41884
76 How to install Java on linux with no Internet connectivity (using local repository) admin 2017-10-01 41777
75 kali linux 해킹 hacking attack DDOS etc tools admin 2015-06-24 41284
74 리눅스 네트워크 설정 LINUX admin 2011-12-19 41209
73 scp, ssh, rsync등을 사용할때에 SSH 비밀번호 묻는것 피하기 admin 2012-04-15 40692
72 모든 CPU 벤치마크 수치 admin 2011-12-16 40508
71 linux 파티션 디렉토리 용량 확인방법 전체 폴더 크기 사이즈 admin 2012-01-05 40205
70 Debian CD DVD 다운로드 링크 헤메지말고 바로 다운로드하지요 admin 2012-08-18 38581
69 리눅스에서 자바(JDK) 설치하기 admin 2013-04-08 38144
68 SSH Without Authentication Using Key Files (CentOS 5.6) admin 2013-11-22 38125
67 리눅스 네트워크 설정 멸령어 Linux admin 2013-04-08 37839
66 seagate HD 시게이트 하드 디스크 A/S 에이에스 기간 조회 및 받는 3가지 방법 admin 2013-12-09 37790
65 scp 명령어를 이용한 파일 복사 및 전송 admin 2014-10-29 37715
64 암호 없이 SSH 접속하기 admin 2013-09-05 37606