Skip to main content

We've Moved!

Product Documentation has moved to docs.hitachivantara.com
Hitachi Vantara Knowledge

Example HCI firewall setup

Important
  • This example details the steps required for a single node. This process must be repeated across all nodes in your system.
  • Users upgrading their systems from HCI 1.6.1 to later versions of HCI who currently have existing signal sources and scripts executed will not receive syslog messages until these firewall scripts are rerun on their upgraded system.
  • Prior to running the scripts, ensure that the firewall service is enabled.
  • While running the scripts, users may enounter errors due to nmcli not working as a result of NetworkManager being disabled. To enable it, type: systemctl start NetworkManager
  • After the scripts have concluded, you will need to restart HCI.

The following is an example of what a hardened HCI cluster running CentOS Linux 7.4.1708 (Core) would look like if it was set up to ONLY allow HCI to run from within it.

The following firewall scripts are now located in <hci_install_directory>/bin:

  • hciConfigFirewallExample.sh
  • hciFirewallExampleUtils
  • hciProcessFirewall

To run the example script on your system, execute hciConfigFirewallExample.sh.

WARNING

The following firewalld example was created using our proprietary script. It is compatible with HCI versions 1.5 and later.

This script IS NOT officially supported or licensed by Hitachi Vantara. Usage of this script assumes all risks and responsibilities associated with it. Also, based on your personal network and system settings, your mileage with its usage and implementation may vary. Contact your system administrator if you have any network security or firewall concerns.

Set up two network interfaces to be used as a trusted network interface (for internal HCI traffic) and a non-trusted network interface (external HCI traffic).
Network interfaces examples
ens160 : 172.18.118.111In the following config example, this network interface is the external non-trusted interface.
ens192 : 172.118.110.111In the following config example, this network interface is the internal trusted interface.
Set up three active zones and a default zone.
Zone setup
Default Zonedrop
Active Zones

HCI-External

trusted

HCI-AdminApp-Mon

Firewalld configuration example: drop
To view your current settings: firewall-cmd --list-all --zone=drop
targetDROP
icmp-block-inversionno
interfaces<blank>
sources<blank>
services<blank>
ports<blank>
protocols<blank>
masqueradeno
forward-ports<blank>
source-ports<blank>
icmp-blocks<blank>
rich rules<blank>
Firewalld config example: HCI-External
To view your current settings: firewall-cmd --list-all --zone=HCI-External
targetDROP
icmp-block-inversionno
interfacesens160
sources<blank>
servicesssh
ports8000/tcp 8888/tcp 6162/tcp
protocols<blank>
masqueradeno
forward-ports<blank>
source-ports<blank>
icmp-blocks<blank>
rich rules<blank>
Firewalld config example: trusted
To view your current settings: firewall-cmd --list-all --zone=trusted
targetACCEPT
icmp-block-inversionno
interfacesens192
sources<blank>
services<blank>
ports<blank>
protocols<blank>
masqueradeno
forward-ports<blank>
source-ports<blank>
icmp-blocks<blank>
rich rules<blank>
Firewalld config example: HCI-AdminApp-Mon
To view your current settings: firewall-cmd --list-all --zone=HCI-AdminApp-Mon
targetdefault
icmp-block-inversionno
interfaces<blank>
sourcesipset:HCI-Cluster-External
services<blank>
ports<blank>
protocolstcp
masqueradeno
forward-ports<blank>
source-ports18000/tcp
icmp-blocks<blank>
rich rules<blank>
Linux system example: ipset table
To view your current settings: ipset list
Namedefault
Typeno
Revision<blank>
Headeripset:HCI-Cluster-External
Size in memory<blank>
References<blank>
Members

<IP_ADDRESS_FOR_NODE_1>

<IP_ADDRESS_FOR_NODE_2>

<IP_ADDRESS_FOR_NODE_3>

<IP_ADDRESS_FOR_NODE_4>

NoteThese values would be filled with the specific IP addresses for each of your system nodes.
The following is an example of what the iptables look like after completing the above:
To view your current settings: iptables -S
  • -P INPUT ACCEPT

  • -P FORWARD ACCEPT

  • -P OUTPUT ACCEPT

  • -N FORWARD_IN_ZONES

  • -N FORWARD_IN_ZONES_SOURCE

  • -N FORWARD_OUT_ZONES

  • -N FORWARD_OUT_ZONES_SOURCE

  • -N FORWARD_direct

  • -N FWDI_HCI-AdminApp-Mon

  • -N FWDI_HCI-AdminApp-Mon_allow

  • -N FWDI_HCI-AdminApp-Mon_deny

  • -N FWDI_HCI-AdminApp-Mon_log

  • -N FWDI_HCI-External

  • -N FWDI_HCI-External_allow

  • -N FWDI_HCI-External_deny

  • -N FWDI_HCI-External_log

  • -N FWDI_drop

  • -N FWDI_drop_allow

  • -N FWDI_drop_deny

  • -N FWDI_drop_log

  • -N FWDI_trusted

  • -N FWDI_trusted_allow

  • -N FWDI_trusted_deny

  • -N FWDI_trusted_log

  • -N FWDO_HCI-AdminApp-Mon

  • -N FWDO_HCI-AdminApp-Mon_allow

  • -N FWDO_HCI-AdminApp-Mon_deny

  • -N FWDO_HCI-AdminApp-Mon_log

  • -N FWDO_HCI-External

  • -N FWDO_HCI-External_allow

  • -N FWDO_HCI-External_deny

  • -N FWDO_HCI-External_log

  • -N FWDO_drop

  • -N FWDO_drop_allow

  • -N FWDO_drop_deny

  • -N FWDO_drop_log

  • -N FWDO_trusted

  • -N FWDO_trusted_allow

  • -N FWDO_trusted_deny

  • -N FWDO_trusted_log

  • -N INPUT_ZONES

  • -N INPUT_ZONES_SOURCE

  • -N INPUT_direct

  • -N IN_HCI-AdminApp-Mon

  • -N IN_HCI-AdminApp-Mon_allow

  • -N IN_HCI-AdminApp-Mon_deny

  • -N IN_HCI-AdminApp-Mon_log

  • -N IN_HCI-External

  • -N IN_HCI-External_allow

  • -N IN_HCI-External_deny

  • -N IN_HCI-External_log

  • -N IN_drop

  • -N IN_drop_allow

  • -N IN_drop_deny

  • -N IN_drop_log

  • -N IN_trusted

  • -N IN_trusted_allow

  • -N IN_trusted_deny

  • -N IN_trusted_log

  • -N OUTPUT_direct

  • -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

  • -A INPUT -i lo -j ACCEPT

  • -A INPUT -j INPUT_direct

  • -A INPUT -j INPUT_ZONES_SOURCE

  • -A INPUT -j INPUT_ZONES

  • -A INPUT -m conntrack --ctstate INVALID -j DROP

  • -A INPUT -j REJECT --reject-with icmp-host-prohibited

  • -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

  • -A FORWARD -i lo -j ACCEPT

  • -A FORWARD -j FORWARD_direct

  • -A FORWARD -j FORWARD_IN_ZONES_SOURCE

  • -A FORWARD -j FORWARD_IN_ZONES

  • -A FORWARD -j FORWARD_OUT_ZONES_SOURCE

  • -A FORWARD -j FORWARD_OUT_ZONES

  • -A FORWARD -m conntrack --ctstate INVALID -j DROP

  • -A FORWARD -j REJECT --reject-with icmp-host-prohibited

  • -A OUTPUT -j OUTPUT_direct

  • -A FORWARD_IN_ZONES -i ens192 -j FWDI_trusted

  • -A FORWARD_IN_ZONES -i ens160 -j FWDI_HCI-External

  • -A FORWARD_IN_ZONES -j FWDI_drop

  • -A FORWARD_IN_ZONES_SOURCE -m set --match-set HCI-Cluster-External src -g FWDI_HCI-AdminApp-Mon

  • -A FORWARD_OUT_ZONES -o ens192 -j FWDO_trusted

  • -A FORWARD_OUT_ZONES -o ens160 -j FWDO_HCI-External

  • -A FORWARD_OUT_ZONES -j FWDO_drop

  • -A FORWARD_OUT_ZONES_SOURCE -m set --match-set HCI-Cluster-External dst -g FWDO_HCI-AdminApp-Mon

  • -A FWDI_HCI-AdminApp-Mon -j FWDI_HCI-AdminApp-Mon_log

  • -A FWDI_HCI-AdminApp-Mon -j FWDI_HCI-AdminApp-Mon_deny

  • -A FWDI_HCI-AdminApp-Mon -j FWDI_HCI-AdminApp-Mon_allow

  • -A FWDI_HCI-AdminApp-Mon -p icmp -j ACCEPT

  • -A FWDI_HCI-External -j FWDI_HCI-External_log

  • -A FWDI_HCI-External -j FWDI_HCI-External_deny

  • -A FWDI_HCI-External -j FWDI_HCI-External_allow

  • -A FWDI_HCI-External -j DROP

  • -A FWDI_drop -j FWDI_drop_log

  • -A FWDI_drop -j FWDI_drop_deny

  • -A FWDI_drop -j FWDI_drop_allow

  • -A FWDI_drop -j DROP

  • -A FWDI_trusted -j FWDI_trusted_log

  • -A FWDI_trusted -j FWDI_trusted_deny

  • -A FWDI_trusted -j FWDI_trusted_allow

  • -A FWDI_trusted -j ACCEPT

  • -A FWDO_HCI-AdminApp-Mon -j FWDO_HCI-AdminApp-Mon_log

  • -A FWDO_HCI-AdminApp-Mon -j FWDO_HCI-AdminApp-Mon_deny

  • -A FWDO_HCI-AdminApp-Mon -j FWDO_HCI-AdminApp-Mon_allow

  • -A FWDO_HCI-External -j FWDO_HCI-External_log

  • -A FWDO_HCI-External -j FWDO_HCI-External_deny

  • -A FWDO_HCI-External -j FWDO_HCI-External_allow

  • -A FWDO_HCI-External -j DROP

  • -A FWDO_drop -j FWDO_drop_log

  • -A FWDO_drop -j FWDO_drop_deny

  • -A FWDO_drop -j FWDO_drop_allow

  • -A FWDO_drop -j DROP

  • -A FWDO_trusted -j FWDO_trusted_log

  • -A FWDO_trusted -j FWDO_trusted_deny

  • -A FWDO_trusted -j FWDO_trusted_allow

  • -A FWDO_trusted -j ACCEPT

  • -A INPUT_ZONES -i ens192 -j IN_trusted

  • -A INPUT_ZONES -i ens160 -j IN_HCI-External

  • -A INPUT_ZONES -j IN_drop

  • -A INPUT_ZONES_SOURCE -m set --match-set HCI-Cluster-External src -g IN_HCI-AdminApp-Mon

  • -A IN_HCI-AdminApp-Mon -j IN_HCI-AdminApp-Mon_log

  • -A IN_HCI-AdminApp-Mon -j IN_HCI-AdminApp-Mon_deny

  • -A IN_HCI-AdminApp-Mon -j IN_HCI-AdminApp-Mon_allow

  • -A IN_HCI-AdminApp-Mon -p icmp -j ACCEPT

  • -A IN_HCI-AdminApp-Mon_allow -p tcp -m conntrack --ctstate NEW -j ACCEPT

  • -A IN_HCI-AdminApp-Mon_allow -p tcp -m tcp --sport 18000 -m conntrack --ctstate NEW -j ACCEPT

  • -A IN_HCI-External -j IN_HCI-External_log

  • -A IN_HCI-External -j IN_HCI-External_deny

  • -A IN_HCI-External -j IN_HCI-External_allow

  • -A IN_HCI-External -j DROP

  • -A IN_HCI-External_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT

  • -A IN_HCI-External_allow -p tcp -m tcp --dport 8000 -m conntrack --ctstate NEW -j ACCEPT

  • -A IN_HCI-External_allow -p tcp -m tcp --dport 8888 -m conntrack --ctstate NEW -j ACCEPT

  • -A IN_HCI-External_allow -p tcp -m tcp --dport 6162 -m conntrack --ctstate NEW -j ACCEPT

  • -A IN_drop -j IN_drop_log

  • -A IN_drop -j IN_drop_deny

  • -A IN_drop -j IN_drop_allow

  • -A IN_drop -j DROP

  • -A IN_trusted -j IN_trusted_log

  • -A IN_trusted -j IN_trusted_deny

  • -A IN_trusted -j IN_trusted_allow

  • -A IN_trusted -j ACCEPT

 

  • Was this article helpful?