6

I want to set up a Riak Cluster for a Web project.

However, I want to secure this cluster so that only My Web Server(s) can access Riak Cluster. Basically, I will have one or more Web Servers and 4 Riak servers (in a cluster).

I want to use Shorewall or other firewall app to secure communications between the Web Server and the Riak Clusters so that no other servers can access the clusters but my own. Being the Riak is completely open on the server-side, this is essential before I take my servers into production.

I assume I will have to:

  1. Install Shorewall on each of the Riak Servers
  2. Lock down all ports initially
  3. Open Port 4369 (epmd) and Port 8099 (handoff listener) on all Riak Servers + the range of ports defined in my app.config file
  4. Open port 8098 and 8097 (for client) on all Riak Servers
  5. Individually restrict access of one Riak server to the IP addresses of the other Riak Servers in the cluster + the IP address(es) of my Web Server(s). Repeat for other Riak servers in the cluster

I can install Shorewall, but I'm not familiar with how to configure shorewall to do the above. I would appreciate some assistance.

Jorge Castro
  • 71,754
Charles
  • 61
  • 1

1 Answers1

1

If you're going to use Shorewall just for being a firewall on machines with just one interface, it's a little bit of an overkill, in my opinion. Still, I do like to use Shorewall for this task anyway. Here's a short introduction that may help you to get started.

So, I'm assuming a single-interface IPv4-only configuration here. IPv4 and IPv6 versions of shorewall are independent but similar packages.

$ sudo apt-get install shorewall

After installing, everything is still disabled. First, let's copy over an example of a single interface configuration.

$ sudo cp /usr/share/doc/shorewall/examples/one-interface/* /etc/shorewall

Then let's configure the files one by one.

Tip: use the *.annotated.gz files for more annotations in your configuration files if you fancy that.

  • zones - Leave as default. Configuring zones is mandatory, but since it's a single interface, it only contains one zone apart from the firewall itself (fw): net.
  • interfaces - Configure your single interface there. Default configuration will probably be quite okay, and I only remove dhcp as I'm not running DHCP on my servers.
  • policy - Defines policies for traffic between zones. As your number of zones is just one, this is easy too. By default, all traffic inbound is disallowed and all traffic outbound is allowed. Leave that default if you like that.

  • rules - This is where you configure exceptions to the policies defined. A simple example for allowing inbound TCP port 1234 from the whole outside IPv4 world would be this:

    ACCEPT       net           $FW        tcp       1234

    Consider using some macros that help your config files more readable, like this one you probably want to set anyway:

    SSH(ACCEPT)  net:1.2.3.4   $FW

    To allow SSH access from the IP address 1.2.3.4.

  • shorewall.conf - get it by gunzipping the shipped shorewall.conf.gz file. Check that IP_FORWARDING=Off if you don't do any forwarding and consider setting DISABLE_IPV6=Yes if you are not planning on configuring IPv6 on the machine. Finally, set STARTUP_ENABLED=Yes.

Enable it for boot time too, in /etc/default/shorewall, set startup=1.

Now check your current configuration by running

$ shorewall check

Please do this every time you changed some file and before you actually restart Shorewall. It prevents downtime in case of a syntax error as it compiles complains about wrong syntax.

If all is well, you may give it a try to actually start:

$ sudo service shorewall start

And feel free to inspect the result in iptables:

$ sudo iptables -L -n -v
gertvdijk
  • 67,947