Example HCI firewall setup

Content Intelligence Installation Guide

Version
2.2.x
Audience
anonymous
Part Number
MK-HCI002-17
Important:
  • This example details the steps required for a single node. This process must be repeated across all nodes in your system.
  • Users upgrading their systems from HCI 1.6.1 to later versions of HCI who currently have existing signal sources and scripts executed will not receive syslog messages until these firewall scripts are rerun on their upgraded system.
  • Prior to running the scripts, ensure that the firewall service is enabled.
  • While running the scripts, users may enounter errors due to nmcli not working as a result of NetworkManager being disabled. To enable it, type: systemctl start NetworkManager
  • After the scripts have concluded, you will need to restart HCI.

The following is an example of what a hardened HCI cluster running CentOS Linux 7.4.1708 (Core) would look like if it was set up to ONLY allow HCI to run from within it.

The following firewall scripts are now located in <hci_install_directory>/bin:

  • hciConfigFirewallExample.sh
  • hciFirewallExampleUtils
  • hciProcessFirewall

To run the example script on your system, execute hciConfigFirewallExample.sh.

Warning:

The following firewalld example was created using our proprietary script. It is compatible with HCI versions 1.5 and later.

This script IS NOT officially supported or licensed by Hitachi Vantara. Usage of this script assumes all risks and responsibilities associated with it. Also, based on your personal network and system settings, your mileage with its usage and implementation may vary. Contact your system administrator if you have any network security or firewall concerns.

Table. Set up two network interfaces to be used as a trusted network interface (for internal HCI traffic) and a non-trusted network interface (external HCI traffic).
Network interfaces examples
ens160 : 172.18.118.111 In the following config example, this network interface is the external non-trusted interface.
ens192 : 172.118.110.111 In the following config example, this network interface is the internal trusted interface.
Table. Set up three active zones and a default zone.
Zone setup
Default Zone drop
Active Zones

HCI-External

trusted

HCI-AdminApp-Mon

Table. Firewalld configuration example: drop
To view your current settings: firewall-cmd --list-all --zone=drop
target DROP
icmp-block-inversion no
interfaces <blank>
sources <blank>
services <blank>
ports <blank>
protocols <blank>
masquerade no
forward-ports <blank>
source-ports <blank>
icmp-blocks <blank>
rich rules <blank>
Table. Firewalld config example: HCI-External
To view your current settings: firewall-cmd --list-all --zone=HCI-External
target DROP
icmp-block-inversion no
interfaces ens160
sources <blank>
services ssh
ports 8000/tcp 8888/tcp 6162/tcp
protocols <blank>
masquerade no
forward-ports <blank>
source-ports <blank>
icmp-blocks <blank>
rich rules <blank>
Table. Firewalld config example: trusted
To view your current settings: firewall-cmd --list-all --zone=trusted
target ACCEPT
icmp-block-inversion no
interfaces ens192
sources <blank>
services <blank>
ports <blank>
protocols <blank>
masquerade no
forward-ports <blank>
source-ports <blank>
icmp-blocks <blank>
rich rules <blank>
Table. Firewalld config example: HCI-AdminApp-Mon
To view your current settings: firewall-cmd --list-all --zone=HCI-AdminApp-Mon
target default
icmp-block-inversion no
interfaces <blank>
sources ipset:HCI-Cluster-External
services <blank>
ports <blank>
protocols tcp
masquerade no
forward-ports <blank>
source-ports 18000/tcp
icmp-blocks <blank>
rich rules <blank>
Table. Linux system example: ipset table
To view your current settings: ipset list
Name default
Type no
Revision <blank>
Header ipset:HCI-Cluster-External
Size in memory <blank>
References <blank>
Members

<IP_ADDRESS_FOR_NODE_1>

<IP_ADDRESS_FOR_NODE_2>

<IP_ADDRESS_FOR_NODE_3>

<IP_ADDRESS_FOR_NODE_4>

Note: These values would be filled with the specific IP addresses for each of your system nodes.
Table. The following is an example of what the iptables look like after completing the above:
To view your current settings: iptables -S
  • -P INPUT ACCEPT

  • -P FORWARD ACCEPT

  • -P OUTPUT ACCEPT

  • -N FORWARD_IN_ZONES

  • -N FORWARD_IN_ZONES_SOURCE

  • -N FORWARD_OUT_ZONES

  • -N FORWARD_OUT_ZONES_SOURCE

  • -N FORWARD_direct

  • -N FWDI_HCI-AdminApp-Mon

  • -N FWDI_HCI-AdminApp-Mon_allow

  • -N FWDI_HCI-AdminApp-Mon_deny

  • -N FWDI_HCI-AdminApp-Mon_log

  • -N FWDI_HCI-External

  • -N FWDI_HCI-External_allow

  • -N FWDI_HCI-External_deny

  • -N FWDI_HCI-External_log

  • -N FWDI_drop

  • -N FWDI_drop_allow

  • -N FWDI_drop_deny

  • -N FWDI_drop_log

  • -N FWDI_trusted

  • -N FWDI_trusted_allow

  • -N FWDI_trusted_deny

  • -N FWDI_trusted_log

  • -N FWDO_HCI-AdminApp-Mon

  • -N FWDO_HCI-AdminApp-Mon_allow

  • -N FWDO_HCI-AdminApp-Mon_deny

  • -N FWDO_HCI-AdminApp-Mon_log

  • -N FWDO_HCI-External

  • -N FWDO_HCI-External_allow

  • -N FWDO_HCI-External_deny

  • -N FWDO_HCI-External_log

  • -N FWDO_drop

  • -N FWDO_drop_allow

  • -N FWDO_drop_deny

  • -N FWDO_drop_log

  • -N FWDO_trusted

  • -N FWDO_trusted_allow

  • -N FWDO_trusted_deny

  • -N FWDO_trusted_log

  • -N INPUT_ZONES

  • -N INPUT_ZONES_SOURCE

  • -N INPUT_direct

  • -N IN_HCI-AdminApp-Mon

  • -N IN_HCI-AdminApp-Mon_allow

  • -N IN_HCI-AdminApp-Mon_deny

  • -N IN_HCI-AdminApp-Mon_log

  • -N IN_HCI-External

  • -N IN_HCI-External_allow

  • -N IN_HCI-External_deny

  • -N IN_HCI-External_log

  • -N IN_drop

  • -N IN_drop_allow

  • -N IN_drop_deny

  • -N IN_drop_log

  • -N IN_trusted

  • -N IN_trusted_allow

  • -N IN_trusted_deny

  • -N IN_trusted_log

  • -N OUTPUT_direct

  • -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

  • -A INPUT -i lo -j ACCEPT

  • -A INPUT -j INPUT_direct

  • -A INPUT -j INPUT_ZONES_SOURCE

  • -A INPUT -j INPUT_ZONES

  • -A INPUT -m conntrack --ctstate INVALID -j DROP

  • -A INPUT -j REJECT --reject-with icmp-host-prohibited

  • -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

  • -A FORWARD -i lo -j ACCEPT

  • -A FORWARD -j FORWARD_direct

  • -A FORWARD -j FORWARD_IN_ZONES_SOURCE

  • -A FORWARD -j FORWARD_IN_ZONES

  • -A FORWARD -j FORWARD_OUT_ZONES_SOURCE

  • -A FORWARD -j FORWARD_OUT_ZONES

  • -A FORWARD -m conntrack --ctstate INVALID -j DROP

  • -A FORWARD -j REJECT --reject-with icmp-host-prohibited

  • -A OUTPUT -j OUTPUT_direct

  • -A FORWARD_IN_ZONES -i ens192 -j FWDI_trusted

  • -A FORWARD_IN_ZONES -i ens160 -j FWDI_HCI-External

  • -A FORWARD_IN_ZONES -j FWDI_drop

  • -A FORWARD_IN_ZONES_SOURCE -m set --match-set HCI-Cluster-External src -g FWDI_HCI-AdminApp-Mon

  • -A FORWARD_OUT_ZONES -o ens192 -j FWDO_trusted

  • -A FORWARD_OUT_ZONES -o ens160 -j FWDO_HCI-External

  • -A FORWARD_OUT_ZONES -j FWDO_drop

  • -A FORWARD_OUT_ZONES_SOURCE -m set --match-set HCI-Cluster-External dst -g FWDO_HCI-AdminApp-Mon

  • -A FWDI_HCI-AdminApp-Mon -j FWDI_HCI-AdminApp-Mon_log

  • -A FWDI_HCI-AdminApp-Mon -j FWDI_HCI-AdminApp-Mon_deny

  • -A FWDI_HCI-AdminApp-Mon -j FWDI_HCI-AdminApp-Mon_allow

  • -A FWDI_HCI-AdminApp-Mon -p icmp -j ACCEPT

  • -A FWDI_HCI-External -j FWDI_HCI-External_log

  • -A FWDI_HCI-External -j FWDI_HCI-External_deny

  • -A FWDI_HCI-External -j FWDI_HCI-External_allow

  • -A FWDI_HCI-External -j DROP

  • -A FWDI_drop -j FWDI_drop_log

  • -A FWDI_drop -j FWDI_drop_deny

  • -A FWDI_drop -j FWDI_drop_allow

  • -A FWDI_drop -j DROP

  • -A FWDI_trusted -j FWDI_trusted_log

  • -A FWDI_trusted -j FWDI_trusted_deny

  • -A FWDI_trusted -j FWDI_trusted_allow

  • -A FWDI_trusted -j ACCEPT

  • -A FWDO_HCI-AdminApp-Mon -j FWDO_HCI-AdminApp-Mon_log

  • -A FWDO_HCI-AdminApp-Mon -j FWDO_HCI-AdminApp-Mon_deny

  • -A FWDO_HCI-AdminApp-Mon -j FWDO_HCI-AdminApp-Mon_allow

  • -A FWDO_HCI-External -j FWDO_HCI-External_log

  • -A FWDO_HCI-External -j FWDO_HCI-External_deny

  • -A FWDO_HCI-External -j FWDO_HCI-External_allow

  • -A FWDO_HCI-External -j DROP

  • -A FWDO_drop -j FWDO_drop_log

  • -A FWDO_drop -j FWDO_drop_deny

  • -A FWDO_drop -j FWDO_drop_allow

  • -A FWDO_drop -j DROP

  • -A FWDO_trusted -j FWDO_trusted_log

  • -A FWDO_trusted -j FWDO_trusted_deny

  • -A FWDO_trusted -j FWDO_trusted_allow

  • -A FWDO_trusted -j ACCEPT

  • -A INPUT_ZONES -i ens192 -j IN_trusted

  • -A INPUT_ZONES -i ens160 -j IN_HCI-External

  • -A INPUT_ZONES -j IN_drop

  • -A INPUT_ZONES_SOURCE -m set --match-set HCI-Cluster-External src -g IN_HCI-AdminApp-Mon

  • -A IN_HCI-AdminApp-Mon -j IN_HCI-AdminApp-Mon_log

  • -A IN_HCI-AdminApp-Mon -j IN_HCI-AdminApp-Mon_deny

  • -A IN_HCI-AdminApp-Mon -j IN_HCI-AdminApp-Mon_allow

  • -A IN_HCI-AdminApp-Mon -p icmp -j ACCEPT

  • -A IN_HCI-AdminApp-Mon_allow -p tcp -m conntrack --ctstate NEW -j ACCEPT

  • -A IN_HCI-AdminApp-Mon_allow -p tcp -m tcp --sport 18000 -m conntrack --ctstate NEW -j ACCEPT

  • -A IN_HCI-External -j IN_HCI-External_log

  • -A IN_HCI-External -j IN_HCI-External_deny

  • -A IN_HCI-External -j IN_HCI-External_allow

  • -A IN_HCI-External -j DROP

  • -A IN_HCI-External_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT

  • -A IN_HCI-External_allow -p tcp -m tcp --dport 8000 -m conntrack --ctstate NEW -j ACCEPT

  • -A IN_HCI-External_allow -p tcp -m tcp --dport 8888 -m conntrack --ctstate NEW -j ACCEPT

  • -A IN_HCI-External_allow -p tcp -m tcp --dport 6162 -m conntrack --ctstate NEW -j ACCEPT

  • -A IN_drop -j IN_drop_log

  • -A IN_drop -j IN_drop_deny

  • -A IN_drop -j IN_drop_allow

  • -A IN_drop -j DROP

  • -A IN_trusted -j IN_trusted_log

  • -A IN_trusted -j IN_trusted_deny

  • -A IN_trusted -j IN_trusted_allow

  • -A IN_trusted -j ACCEPT