한국어

네트워킹

온누리070 플레이스토어 다운로드
    acrobits softphone
     온누리 070 카카오 프러스 친구추가온누리 070 카카오 프러스 친구추가친추
     카카오톡 채팅 상담 카카오톡 채팅 상담카톡
    
     라인상담
     라인으로 공유

     페북공유

   ◎위챗 : speedseoul


  
     PAYPAL
     
     PRICE
     

pixel.gif

    before pay call 0088 from app


http://www.datastax.com/support-forums/topic/iptables-rules-for-datastax-enterprise




There is no official guide on how to configure iptables with DSE...mostly because there is no one way to do it. There are several different ports that are used for different purposes. Some absolutely must be opened in firewall for internode communication, others are optional depending on the tools that you want to use and from where. I'm afraid that the document you quoted is a little too harsh in its wording on requiring all of those ports open for Cassandra to function.

Note: all the ports listed below are TCP ports.

For internode communication:

You must have port 7000 open between all nodes.

Other ports:

7199, 1024+ (the most annoying line for any firewall admin) - These ports are used to open a JMX connection to the cassandra node. So, if you want to use a JMX client to connect to a cassandra node, you need to open these ports for the source IP address of the machine the client is running on. Examples of JMX clients are: JConsole and nodetool. You could have one trusted machine which you run these commands from and have all of the cassandra nodes open these TCP ports to *only* this trusted machine (or small set of machines).

9160 - This is the thrift client port. It is used by utilities like cqlsh, the cassandra-jdbc driver, pycassa and other thrift clients. This port will have to be opened for communications between machines these clients are operating on and the cassandra nodes.

About how to configure iptables. Here is what I usually do (it may or may not work for your level of paranoia, but it will give you a start):

So, first, a bit on TCP and UDP communications: UDP messages are stateless and do not require any set up of a connection before sending a message. TCP on the other hand are stateful. A connection must be set up before any messages containing data are accepted (by the machine's kernel). So, when setting up a firewall for TCP connections, if you do not let the message that sets up the connection through the firewall, you are effectively disallowing any data packets to the port in question. The packet that sets up the connection is a TCP packet with the SYN bit set, and the ACK, RST, and FIN bits cleared. This packet needs to be stopped in order to stop a connection from being set up. So, for TCP, I usually allow all packets except for ones with the SYN bit set (and ACK, RST, and FIN cleared) whose destination port is not to be opened.

Another note. iptables has several tables and chains in these tables. We will be modifying the default table of: filter and chain: INPUT.

For example to close all ports except for SSH (port 22) to the machine from anywhere, you can use the following rules:

iptables --append INPUT --proto tcp --destination-port 22 --syn -j ACCEPT
iptables --append INPUT --proto tcp --syn -j DROP

It creates the following rules:

# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:sshflags: FIN,SYN,RST,ACK/SYN
DROP       tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/SYN

Note, the default policy is still ACCEPT. This means accept all packets for already connected TCP connections, and drop all new connection requests except for to port 22 from any source IP address. You could also specify a source IP address in your iptables rule to open port 22 (in order to make it more restrictive):

iptables --append INPUT --proto tcp --destination-port 22 --source address[/mask][,...] --syn -j ACCEPT

So, for cassandra, you need to open 7000 on each cassandra node to other nodes in the cluster. You can specify the source by individual machines or by a whole subnet.

조회 수 :
16808
등록일 :
2014.02.26
15:33:32 (*.251.139.148)
엮인글 :
http://webs.co.kr/index.php?document_srl=38852&act=trackback&key=66f
게시글 주소 :
http://webs.co.kr/index.php?document_srl=38852
List of Articles
번호 제목 글쓴이 날짜 조회 수sort
121 리눅스 시스템 시작시에 자동 실행할 파일 등록하기 admin 2014-03-22 83660
120 Site builder shootout: Drupal vs. Joomla vs. WordPress admin 2012-07-15 83646
119 리눅스에 RADIUS 서버 구현하기 admin 2012-09-01 80691
118 [linux]리눅스 버전및 CPU등 환경정보 확인하기 admin 2013-04-08 79477
117 tar로 전체시스템 백업 LINUX Backup admin 2013-04-04 64838
116 Ubuntu 14.04 원격 접속(xrdp) 설정 admin 2014-12-21 55279
115 CentOS 5.4에서 RADIUS 서버 설치하기 admin 2013-04-19 51061
114 FreeRADIUS 설치(freeradius-sever-2.1.8) admin 2013-04-19 50772
113 리눅스 서버 이전시 고려할 사항들 admin 2011-12-16 43558
112 Getting started with SSH public key cryptography admin 2013-09-05 40350
111 linux 에티터 명령어 정리 포그라운드 전환 : ctrl + z 다시 vi 모드로 돌아오려면 fg admin 2014-03-05 37957
110 Radius를 이용한 ssh 인증 서버 구축하기 admin 2013-04-19 36723
109 리눅스 부팅시 자동 실행 명령스크립트 실행하기 만들기 이해 linux booting admin 2017-08-30 35710
108 부팅시 자동실행 명령어 스크립트, rc.local admin 2017-08-30 35520
107 다운된 리눅스서버 응급복구 admin 2013-03-28 32525
106 Build a RADIUS server on Linux admin 2013-03-23 31417
105 FREE RADIUS 활용및 응용 admin 2013-02-23 30697
104 리눅스 데비안 네트워크 설정 유선랜 무선랜 linux debian network setting 설정 admin 2017-09-07 30604
103 서버이전시 고려할 사항들 admin 2011-12-13 30556
102 윈도우XP 알면 정말 편한 숨겨진 기능 60가지 admin 2012-05-11 29959
101 Centos net install web http admin 2012-03-02 29952
100 리눅스 시작시에 부팅시 프로세스 프로그램 자동 실행 설정 admin 2017-08-30 29779
99 네트워크 디바이스명 변경 리눅스 eth0 eth1 admin 2017-08-29 29247
98 Linux 시스템 백업과 복원 admin 2012-02-28 28748
97 파이썬 설치 및 사용하기 admin 2011-12-16 28167
96 한국인/국내기업은 얼마나 Linux Kernel에 기여할까? admin 2012-04-29 27888
95 PUTTY DOWNLOAD - FREE SSH & TELNET CLIENT admin 2017-09-03 27636
94 How To Protect SSH with fail2ban on Debian 7 데비안 ssh 방어 무작위 로그인 admin 2017-09-12 27322
93 Linux 시스템 백업과 복원 admin 2013-04-04 26693
92 the world’s most widely deployed RADIUS server document admin 2017-08-29 26633