You can open a port in the firewall on any node by using the openipport command; however, that port opening specification is overwritten when the node is reimaged. The exception is the head node, which as the golden client, is not reimaged. This command is described in “Opening a Temporary Port in the Firewall”.
Alternatively, you can open an IP port in the firewall globally on all the nodes by updating a single file; the port remains open after the nodes are reimaged. For more information, see “Opening an IP Port in the Firewall Persistently”.
Opening a Temporary Port in the Firewall |
 |
The openipport command enables the superuser to open an IP service port in the firewall using the following information:
The list of interfaces on which the port is to be opened
|
| |
|
 | NOTE: Use the openipport command judiciously. The port remains open unless or until the node is reimaged, even if the node is rebooted. |
|
| |
|
Typically, you would use the openipport command for each defined interface except the external interface.
The following example opens port 44 in the firewall for the udp protocol on the Admin, Interconnect, and loopback interfaces on the current node. The --verbose option displays error messages, if any.
# openipport --port 44 --protocol udp \
--interface Admin,Interconnect,lo --verbose |
The following example also opens port 44 in the firewall on node n3; this example uses the same protocol and interface options as the previous example. The cexec command updates node n3 and ensures that a log file records this command.
# cexec -w n3 "openipport --port 44 --protocol udp \
--interface Admin,Interconnect,lo --verbose" |
Except for the head node, the effect of this command is overwritten when the nodes are reimaged.
Opening an IP Port in the Firewall Persistently |
|
The /etc/sysconfig/iptables.proto file was developed so that IP port openings in the firewall persist after node reimaging.
During the operation of the nconfig command on each node, the /etc/sysconfig/iptables.proto file on the head node is used to generate the /etc/sysconfig/iptables file for each node in the HP XC system.
The form of the iptables.proto file is similar to the /etc/sysconfig/iptables file, with the notable difference that the following mnemonics are used to represent the interface names:
External (external network — Ethernet)
Admin (administration network)
Interconnect (system interconnect)
These interface names, which are introduced with the -i option, resolve automatically to the device name during the operation of the nconfig command on each node.
The following procedure updates the iptables.proto file to open port 389 using the tcp protocol on the Interconnect and Administrative interfaces:
Log in as superuser on the head node.
Use the text editor of your choice to add the following lines to the /etc/sysconfig/iptables.proto file:
# set up port 389 on Interconnect interface:
-A RH-Firewall-1-INPUT -i Interconnect -p tcp -m tcp
--dport 389 -j ACCEPT
# setup port 389 on admin interface
-A RH-Firewall-1-INPUT -i Admin -p tcp -m tcp
--dport 389 -j ACCEPT |
This portion of the /etc/sysconfig/iptables.proto file should resemble the following:
# set up port 389 on Interconnect interface:
-A RH-Firewall-1-INPUT -i Interconnect -p tcp -m tcp --dport 389 -j ACCEPT
# setup port 389 on admin interface
-A RH-Firewall-1-INPUT -i Admin -p tcp -m tcp --dport 389 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited |
Optionally, enter the following command to open the port on all nodes in the HP XC system until the nodes are reimaged:
# cexec -a "openipport --port 389 --protocol tcp \
--interface Admin,Interconnect --verbose" |
Printable version
