forked from pivotal-cf/docs-pcf-install
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathconfig_firewall.html.md.erb
124 lines (95 loc) · 4.85 KB
/
config_firewall.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
---
title: Preparing Your Firewall for Deploying Pivotal Cloud Foundry®
owner: Ops Manager
---
<strong><%= modified_date %></strong>
This topic describes how to configure your firewall for [Pivotal Cloud Foundry®](https://network.pivotal.io/products/pivotal-cf) (PCF) and how to verify that PCF resolves DNS entries behind your firewall.
## <a id='firewall_configuration'></a>Configure Your Firewall for PCF ##
Ops Manager and Elastic Runtime require the following open TCP ports:
- **25555**: Routes to the Ops Manager VM
- **443**: Routes to HAProxy or, if configured, your own load balancer
- **80**: Routes to HAProxy or, if configured, your own load balancer
- **22 (Optional)**: Only necessary if you want to connect using SSH
For more information about required ports for additional installed products,
refer to the product documentation.
The following example procedure uses the Linux command `iptables` to configure a firewall.
<p class="note"><strong>Note</strong>: <code>GATEWAY_EXTERNAL_IP</code> is a
placeholder. Replace this value with your <code>PUBLIC_IP</code>.</p>
1. Open `/etc/sysctl.conf`, a file that contains configurations for Linux kernel
settings, with the command below:
<pre class='terminal'>
$ sudo vi /etc/sysctl.conf
</pre>
1. Add the line `net.ipv4.ip_forward=1` to `/etc/sysctl.conf` and save the file.
1. If you are using Linux machines for your firewall and want to remove all existing filtering or Network Address Translation (NAT) rules, run the following commands:
<p class="note"><strong>Note</strong>: This command destroys all <code>iptables</code> rules. You must back up or record your rules if you want to preserve them.</p>
<pre class='terminal'>
$ iptables --flush
$ iptables --flush -t nat
</pre>
1. Add environment variables to use when creating the IP rules:
<pre class='terminal'>
$ export INTERNAL\_NETWORK\_RANGE=10.0.0.0/8
$ export GATEWAY\_INTERNAL\_IP=10.0.0.1
$ export GATEWAY\_EXTERNAL\_IP=203.0.113.242
$ export PIVOTALCF\_IP=10.0.0.2
$ export HA\_PROXY\_IP=10.0.0.254
</pre>
1. Run the following commands to configure IP rules for the specified chains:
* **FORWARD**:
<pre class='terminal'>
$ iptables -A FORWARD -i eth1 -j ACCEPT
$ iptables -A FORWARD -o eth1 -j ACCEPT
</pre>
* **POSTROUTING**:
<pre class='terminal'>
$ iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
$ iptables -t nat -A POSTROUTING -d $HA_PROXY_IP -s $INTERNAL_NETWORK_RANGE \
-p tcp --dport 80 -j SNAT --to $GATEWAY_INTERNAL_IP
$ iptables -t nat -A POSTROUTING -d $HA_PROXY_IP -s $INTERNAL_NETWORK_RANGE \
-p tcp --dport 443 -j SNAT --to $GATEWAY_INTERNAL_IP
</pre>
* **PREROUTING**:
<pre class='terminal'>
$ iptables -t nat -A PREROUTING -d $GATEWAY_EXTERNAL_IP -p tcp --dport \
25555 -j DNAT --to $PIVOTALCF_IP
$ iptables -t nat -A PREROUTING -d $GATEWAY_EXTERNAL_IP -p tcp --dport \
443 -j DNAT --to $HA_PROXY_IP
$ iptables -t nat -A PREROUTING -d $GATEWAY_EXTERNAL_IP -p tcp --dport \
80 -j DNAT --to $HA_PROXY_IP
$ iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8443 -j DNAT \
--to $PIVOTALCF_IP:443
$ iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT \
--to $HA_PROXY_IP:80
$ iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8022 -j DNAT \
--to $PIVOTALCF_IP:22
$ iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8080 -j DNAT \
--to $PIVOTALCF_IP:80
</pre>
1. Run the following command to save the iptables:
<pre class='terminal'>
$ service iptables save
</pre>
For more information about administering IP tables with `iptables`, refer to the
[iptables documentation](http://ipset.netfilter.org/iptables.man.html).
## <a id='DNS_fails'></a>Verify PCF Resolves DNS Entries Behind a Firewall ##
When you install PCF in an environment that uses a strong firewall, the firewall
might block DNS resolution.
For example, if you use [xip.io](http://xip.io/) to test your DNS configuration,
the tests will fail without warning if the firewall prevents Elastic Runtime
from accessing `*.xip.io`.
To verify that Elastic Runtime can correctly resolve DNS entries:
1. SSH into the Pivotal Ops Manager VM.
For more information, refer to the [SSH into Ops
Manager](./trouble-advanced.html#ssh) section of the Advanced
Troubleshooting with the BOSH CLI topic.
1. Run any of the following network administration commands with the IP address
of the VM:
* `nslookup`
* `dig`
* `host`
* The appropriate `traceroute` command for your OS
1. Review the output of the command and fix any blocked routes.
If the output displays an error message, review the firewall logs to
determine which blocked route or routes you need to clear.
1. Repeat steps 1-3 with the Ops Manager Director VM and the HAProxy VM.