http://www.datastax.com/support-forums/topic/iptables-rules-for-datastax-enterprise
There is no official guide on how to configure iptables with DSE...mostly because there is no one way to do it. There are several different ports that are used for different purposes. Some absolutely must be opened in firewall for internode communication, others are optional depending on the tools that you want to use and from where. I'm afraid that the document you quoted is a little too harsh in its wording on requiring all of those ports open for Cassandra to function.
Note: all the ports listed below are TCP ports.
For internode communication:
You must have port 7000 open between all nodes.
Other ports:
7199, 1024+ (the most annoying line for any firewall admin) - These ports are used to open a JMX connection to the cassandra node. So, if you want to use a JMX client to connect to a cassandra node, you need to open these ports for the source IP address of the machine the client is running on. Examples of JMX clients are: JConsole and nodetool. You could have one trusted machine which you run these commands from and have all of the cassandra nodes open these TCP ports to *only* this trusted machine (or small set of machines).
9160 - This is the thrift client port. It is used by utilities like cqlsh, the cassandra-jdbc driver, pycassa and other thrift clients. This port will have to be opened for communications between machines these clients are operating on and the cassandra nodes.
About how to configure iptables. Here is what I usually do (it may or may not work for your level of paranoia, but it will give you a start):
So, first, a bit on TCP and UDP communications: UDP messages are stateless and do not require any set up of a connection before sending a message. TCP on the other hand are stateful. A connection must be set up before any messages containing data are accepted (by the machine's kernel). So, when setting up a firewall for TCP connections, if you do not let the message that sets up the connection through the firewall, you are effectively disallowing any data packets to the port in question. The packet that sets up the connection is a TCP packet with the SYN bit set, and the ACK, RST, and FIN bits cleared. This packet needs to be stopped in order to stop a connection from being set up. So, for TCP, I usually allow all packets except for ones with the SYN bit set (and ACK, RST, and FIN cleared) whose destination port is not to be opened.
Another note. iptables has several tables and chains in these tables. We will be modifying the default table of: filter and chain: INPUT.
For example to close all ports except for SSH (port 22) to the machine from anywhere, you can use the following rules:
iptables --append INPUT --proto tcp --destination-port 22 --syn -j ACCEPTiptables --append INPUT --proto tcp --syn -j DROP
It creates the following rules:
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:sshflags: FIN,SYN,RST,ACK/SYN
DROP tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,ACK/SYNNote, the default policy is still ACCEPT. This means accept all packets for already connected TCP connections, and drop all new connection requests except for to port 22 from any source IP address. You could also specify a source IP address in your iptables rule to open port 22 (in order to make it more restrictive):
iptables --append INPUT --proto tcp --destination-port 22 --source address[/mask][,...] --syn -j ACCEPT
So, for cassandra, you need to open 7000 on each cassandra node to other nodes in the cluster. You can specify the source by individual machines or by a whole subnet.