[Rocks-Discuss] Public access to frontend via ssh
Robert Verstandig
Can anyone advise on how to configure the frontend firewall to allow
access to a workstation on the public internet using ssh? I tried using
the system-config-security util but that broke rocks. I have added the
public workstation's IP address to /etc/hosts.allow (not sure whether
that's even required here...) but now I guess I need to config the
firewall (iptables) manually. I would also like to allow a workstation
on the local lan access to ganglia.
Any suggestions on a procedure would be much appreciated. As you can
tell I am not that familiar with the firewall config on Rocks.
Thanks and regards
Mr Robert Verstandig
Senior Systems Engineer
Department of Exploration Geophysics
Curtin University of Technology
Technology Park West,
ARRC/CSIRO Building, H Block, Level 4
26 Dick Perry Avenue, Kensington WA 6151
Tel:(+61 8) 9266 4975 Fax:(+61 8) 9266 3407
Email: r.vers...@curtin.edu.au
Web Page: http://www.geophysics.curtin.edu.au
<http://www.geophysics.curtin.edu.au/>
CRICOS Provider Code: 00301J
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.sdsc.edu/pipermail/npaci-rocks-discussion/attachments/20080227/4fe93e39/attachment.html
Richard Coffey
Have you tried editing /etc/sysconfig/iptables and made sure this line
was uncommented:
-A INPUT -m state --state NEW -p tcp --dport ssh -j ACCEPT
Best,
R.C.
---
Richard Coffey, Director of IT
Physics and Astronomy, University of Washington
Rm. B215 - 206-543-7751
Robert Verstandig
The line is uncommented and I have also tried adding the following lines
to specify the remote workstation:
-A INPUT -s xxx.xxx.xxx.xxx -i eth1 -p tcp -m tcp --dport ssh -j ACCEPT
This format worked fine on the local subnet when I allowed http and www
access to a network monitoring PC but the remote machine still cannot
ssh to the cluster frontend.
The really strange thing is that if the remote machine connects via our
windows vpn everything works perfectly without any changes to the
iptables. Its almost like the default gateway on the cluster (or routing
to it) is wrong. I have checked the default route using netstat -r and
it is correct...
Is there some routing that needs to be changed to ensure packets are
returned thru the correct i/f?
Here is the iptables file as it stands:
###################################################################
*nat
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
# Preamble
-A FORWARD -i eth1 -o eth0 -m state --state NEW,RELATED,ESTABLISHED -j
ACCEPT
-A FORWARD -i eth0 -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -i lo -j ACCEPT
# Allow these ports
-A INPUT -m state --state NEW -p tcp --dport ssh -j ACCEPT
-A INPUT -s xxx.xxx.xxx.xxx -i eth1 -p tcp -m tcp --dport ssh -j ACCEPT
# allow public xserver access
-A INPUT -s xxx.xxx.xxx.xxx -i eth1 -p tcp -m tcp --dport xdmcp -j
ACCEPT
-A INPUT -s xxx.xxx.xxx.xxx -i eth1 -p udp -m udp --dport xdmcp -j
ACCEPT
# Uncomment the lines below to activate web access to the cluster.
-A INPUT -s xxx.xxx.xxx.xxx -i eth1 -p tcp -m tcp --dport https -j
ACCEPT
-A INPUT -s xxx.xxx.xxx.xxx -i eth1 -p tcp -m tcp --dport www -j ACCEPT
# -A INPUT -m state --state NEW -p tcp --dport https -j ACCEPT
# -A INPUT -m state --state NEW -p tcp --dport www -j ACCEPT
# Standard rules
-A INPUT -p icmp --icmp-type any -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Uncomment the line below to log incoming packets.
#-A INPUT -j LOG --log-prefix "Unknown packet:"
# Deny section
-A INPUT -p udp --dport 0:1024 -j REJECT
-A INPUT -p tcp --dport 0:1024 -j REJECT
# Block incoming ganglia packets on public interface.
-A INPUT -p udp --dport 8649 -j REJECT
# For a draconian "drop-all" firewall, uncomment the line below.
#-A INPUT -j DROP
COMMIT
######################################################################
Regards
Mr Robert Verstandig
Senior Systems Engineer
Department of Exploration Geophysics
Curtin University of Technology
Technology Park West,
ARRC/CSIRO Building, H Block, Level 4
26 Dick Perry Avenue, Kensington WA 6151
Tel:(+61 8) 9266 4975 Fax:(+61 8) 9266 3407
Email: r.vers...@curtin.edu.au
Web Page: http://www.geophysics.curtin.edu.au
CRICOS Provider Code: 00301J
Greg Bruno
<R.Vers...@curtin.edu.au> wrote:
> Hi People
>
> Can anyone advise on how to configure the frontend firewall to allow
> access to a workstation on the public internet using ssh? I tried using
> the system-config-security util but that broke rocks. I have added the
> public workstation's IP address to /etc/hosts.allow (not sure whether
> that's even required here...) but now I guess I need to config the
> firewall (iptables) manually. I would also like to allow a workstation
> on the local lan access to ganglia.
>
> Any suggestions on a procedure would be much appreciated. As you can
> tell I am not that familiar with the firewall config on Rocks.
by default, the frontend is configured to accept ssh connections from
the public network (eth1) -- there is no need to change iptables on
the frontend.
it may be a problem with ssh client on your workstation -- which ssh
client are you using?
- gb
Philip Papadopoulos
Likely SSH is being blocked at your company's border gateway.
-P
--
Philip Papadopoulos, PhD
University of California, San Diego
858-822-3628
-------------- next part --------------
An HTML attachment was scrubbed...
Joseph Norris
node and it has already stopped a bunch of unwanted attempts and
traffic. It interacts with iptables and you can set a whole series of
actions depending what you want or do not want.
Works very well.
--
Cell: 209.201.3410 Desk: 209.228.4576
email: jno...@ucmerced.edu
#Joseph Norris (Linux/Apache/Mysql/Perl - what else is there?)
print @c=map chr $_+100,(6,17,15,16,-68,-3,10,11,
16,4,1, 14,-68,12,1,14,8, -68,4,-3,-1,7,1,14,-68,
-26,11,15,1,12, 4,-68,-22,11,14,14,5,15,-90);
-------------- next part --------------
An HTML attachment was scrubbed...
Tim Carlson
Are you saying you can't use ssh from the frontend node to get to a
workstation on the network? Something is broken on your system in this
case because there are no default rules in rocks that restrict outgoing
traffic from the frontend.
All inbound ssh traffic should be allowed as well.
Do you get some type of error message or does your outbound ssh session
just fail to connect?
When you mean "access to ganglia" do you mean that you want to have direct
access to gmetad or gmond? Let's assume you want access to gmond.
If you look at the iptables configuration rules, you'll find the line
# Block incoming ganglia packets on public interface.
-A INPUT -p udp --dport 8649 -j REJECT
Just before that line, add this to grant access to some machine on your
lan
-A INPUT -p udp --dport 8649 -s my.hostname -j ACCEPT
where my.hostname is of course replaced by the FQDN of the machine on your
lan.
Tim Carlson
Voice: (509) 371 6435 (new 1/12/08)
Email: Tim.C...@pnl.gov
Pacific Northwest National Laboratory
HPCaNS: High Performance Computing and Networking Services
Robert Verstandig
Thanks for all the feedback. From the iptables config I thought that ssh
would be permitted on the public side. Given the local clients can
connect ok and the remote client can connect ok via vpn (inbound and
outbound ssh both work on the local lan) there must be a firewall issue
outside of rocks which I will pursue. I'll post an update to the list
when this is resolved.
Regards
Mr Robert Verstandig
Senior Systems Engineer
Department of Exploration Geophysics
Curtin University of Technology
Technology Park West,
ARRC/CSIRO Building, H Block, Level 4
26 Dick Perry Avenue, Kensington WA 6151
Tel:(+61 8) 9266 4975 Fax:(+61 8) 9266 3407
Email: r.vers...@curtin.edu.au
Web Page: http://www.geophysics.curtin.edu.au
CRICOS Provider Code: 00301J
-----Original Message-----
From: Tim Carlson [mailto:tim.c...@pnl.gov]
Sent: Thursday, 28 February 2008 2:27 AM
To: Robert Verstandig
Cc: npaci-rocks...@sdsc.edu
Subject: Re: [Rocks-Discuss] Public access to frontend via ssh