Home > Storage > Data Storage Essentials > Storage Resource Manager (SRM) > Dell SRM Data Forwarder > SRM Gate server firewall configuration (iptables)
The SRM Gate routes packets initiated by distributed collectors towards primary backend (PBE) and frontend (FE) servers, and routes packets initiated by FE towards distributed collectors for administration purposes (admin UI).
Besides time-series data, which is processed by the Gate’s LBC, the rest of the traffic initiated by collectors and the frontend must be processed by the Gate server firewall, which is configured with the iptables utility. Ports that need to be configured with iptables are shown in the yellow box in Figure 2.
Before configuring the iptables, check to see whether ip forwarding is enabled on the server. As root user, run the command:
# sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 0
If the result is 0 (as shown in the command output), enable ip forwarding by adding the following line to the /etc/sysctl.conf file:
net.ipv4.ip_forward=1
If this line is already present in the file, change the value of the parameter from 0 to 1.
Save the file and apply your changes:
# sysctl -p /etc/sysctl.conf
# sysctl –system
Here is the output of the configuration needed in iptables on the Gate server to enable network address translation and forwarding, so that packets received on the Gate’s specific port are forwarded to the respective PBE, FE, or REMOTE-COLLECTOR port.
gate-hostname:~ # iptables -S -t nat
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-A PREROUTING -i eth0 -p tcp -m tcp --dport 58443 -j DNAT --to-destination FRONTEND-IP:58443
-A PREROUTING -i eth0 -p tcp -m tcp --dport 48443 -d GATE-IP -j ACCEPT
-A PREROUTING -i eth0 -p tcp -m tcp --dport 48443 -j DNAT --to-destination PBE-IP:48443
-A PREROUTING -i eth0 -p tcp -m tcp --dport 52001 -j DNAT --to-destination PBE-IP:52001
-A PREROUTING -i eth0 -p tcp -m tcp --dport 52007 -j DNAT --to-destination PBE-IP:52007
-A PREROUTING -i eth0 -p tcp -m tcp --dport 22020 -j DNAT --to-destination PBE-IP:22020
-A PREROUTING -i eth0 -p tcp -m tcp --dport 2010 -j DNAT --to-destination PBE-IP:2010
-A PREROUTING -i eth0 -p tcp -m tcp --dport 2040 -j DNAT --to-destination PBE-IP:2040
-A PREROUTING -i eth0 -p udp -m udp --dport 162 -j DNAT --to-destination PBE-IP:2041
-A PREROUTING -i eth0 -p udp -m udp --dport 2041 -j DNAT --to-destination PBE-IP:2041
-A PREROUTING -i eth0 -p tcp -m tcp --dport 48444 -j DNAT --to-destination REMOTE-COLLECTOR-1-IP:48443
-A PREROUTING -i eth0 -p tcp -m tcp --dport 48445 -j DNAT --to-destination REMOTE-COLLECTOR-2-IP:48443
-A POSTROUTING -d FRONTEND-IP/32 -o eth0 -p tcp -m tcp --dport 58443 -j SNAT --to-source GATE-IP
-A POSTROUTING -d PBE-IP/32 -o eth0 -p tcp -m tcp --dport 48443 -j SNAT --to-source GATE-IP
-A POSTROUTING -d PBE-IP/32 -o eth0 -p tcp -m tcp --dport 52001 -j SNAT --to-source GATE-IP
-A POSTROUTING -d PBE-IP/32 -o eth0 -p tcp -m tcp --dport 52007 -j SNAT --to-source GATE-IP
-A POSTROUTING -d PBE-IP/32 -o eth0 -p tcp -m tcp --dport 22020 -j SNAT --to-source GATE-IP
-A POSTROUTING -d PBE-IP/32 -o eth0 -p tcp -m tcp --dport 2010 -j SNAT --to-source GATE-IP
-A POSTROUTING -d PBE-IP/32 -o eth0 -p tcp -m tcp --dport 2040 -j SNAT --to-source GATE-IP
-A POSTROUTING -d PBE-IP/32 -o eth0 -p udp -m udp --dport 2041 -j SNAT --to-source GATE-IP
-A POSTROUTING -d REMOTE-COLLECTOR-1-IP/32 -o eth0 -p tcp -m tcp --dport 48443 -j SNAT --to-source GATE-IP
-A POSTROUTING -d REMOTE-COLLECTOR-2-IP/32 -o eth0 -p tcp -m tcp --dport 48443 -j SNAT --to-source GATE-IP
gate-hostname:~ # iptables -S FORWARD
-P FORWARD DROP
-A FORWARD -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options
-A FORWARD -d FRONTEND-IP/32 -p tcp -m tcp --dport 58443 -m state --state NEW -j ACCEPT
-A FORWARD -d PBE-IP/32 -p tcp -m tcp --dport 48443 -m state --state NEW -j ACCEPT
-A FORWARD -d PBE-IP/32 -p tcp -m tcp --dport 52001 -m state --state NEW -j ACCEPT
-A FORWARD -d PBE-IP/32 -p tcp -m tcp --dport 52007 -m state --state NEW -j ACCEPT
-A FORWARD -d PBE-IP/32 -p tcp -m tcp --dport 22020 -m state --state NEW -j ACCEPT
-A FORWARD -d PBE-IP/32 -p tcp -m tcp --dport 2010 -m state --state NEW -j ACCEPT
-A FORWARD -d PBE-IP/32 -p tcp -m tcp --dport 2040 -m state --state NEW -j ACCEPT
-A FORWARD -d PBE-IP/32 -p udp -m udp --dport 2041 -m state --state NEW -j ACCEPT
-A FORWARD -d REMOTE-COLLECTOR-1-IP/32 -p tcp -m tcp --dport 48443 -m state --state NEW -j ACCEPT
-A FORWARD -d REMOTE-COLLECTOR-2-IP/32 -p tcp -m tcp --dport 48443 -m state --state NEW -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
To merge the above iptables rules with existing ones, run the following commands on the Gate server as root user:
gate-hostname:~ # iptables-save > iptables-fw.rules
*nat
:PREROUTING ACCEPT [153405:12619034]
:INPUT ACCEPT [22:1256]
:OUTPUT ACCEPT [9176:572712]
:POSTROUTING ACCEPT [5399:346092]
#-A PREROUTING -p udp -m udp --dport 162 -j REDIRECT --to-ports 2041
-A PREROUTING -i eth0 -p tcp -m tcp --dport 58443 -j DNAT --to-destination FRONTEND-IP:58443
-A PREROUTING -i eth0 -p tcp -m tcp --dport 48443 -d GATE-IP -j ACCEPT
-A PREROUTING -i eth0 -p tcp -m tcp --dport 48443 -j DNAT --to-destination PBE-IP:48443
-A PREROUTING -i eth0 -p tcp -m tcp --dport 52001 -j DNAT --to-destination PBE-IP:52001
-A PREROUTING -i eth0 -p tcp -m tcp --dport 52007 -j DNAT --to-destination PBE-IP:52007
-A PREROUTING -i eth0 -p tcp -m tcp --dport 22020 -j DNAT --to-destination PBE-IP:22020
-A PREROUTING -i eth0 -p tcp -m tcp --dport 2010 -j DNAT --to-destination PBE-IP:2010
-A PREROUTING -i eth0 -p tcp -m tcp --dport 2040 -j DNAT --to-destination PBE-IP:2040
-A PREROUTING -i eth0 -p udp -m udp --dport 162 -j DNAT --to-destination PBE-IP:2041
-A PREROUTING -i eth0 -p udp -m udp --dport 2041 -j DNAT --to-destination PBE-IP:2041
-A PREROUTING -i eth0 -p tcp -m tcp --dport 48444 -j DNAT --to-destination REMOTE-COLLECTOR-1-IP:48443
-A PREROUTING -i eth0 -p tcp -m tcp --dport 48445 -j DNAT --to-destination REMOTE-COLLECTOR-2-IP:48443
-A POSTROUTING -d FRONTEND-IP/32 -o eth0 -p tcp -m tcp --dport 58443 -j SNAT --to-source GATE-IP
-A POSTROUTING -d PBE-IP/32 -o eth0 -p tcp -m tcp --dport 48443 -j SNAT --to-source GATE-IP
-A POSTROUTING -d PBE-IP/32 -o eth0 -p tcp -m tcp --dport 52001 -j SNAT --to-source GATE-IP
-A POSTROUTING -d PBE-IP/32 -o eth0 -p tcp -m tcp --dport 52007 -j SNAT --to-source GATE-IP
-A POSTROUTING -d PBE-IP/32 -o eth0 -p tcp -m tcp --dport 22020 -j SNAT --to-source GATE-IP
-A POSTROUTING -d PBE-IP/32 -o eth0 -p tcp -m tcp --dport 2010 -j SNAT --to-source GATE-IP
-A POSTROUTING -d PBE-IP/32 -o eth0 -p tcp -m tcp --dport 2040 -j SNAT --to-source GATE-IP
-A POSTROUTING -d PBE-IP/32 -o eth0 -p udp -m udp --dport 2041 -j SNAT --to-source GATE-IP
-A POSTROUTING -d REMOTE-COLLECTOR-1-IP/32 -o eth0 -p tcp -m tcp --dport 48443 -j SNAT --to-source GATE-IP
-A POSTROUTING -d REMOTE-COLLECTOR-2-IP/32 -o eth0 -p tcp -m tcp --dport 48443 -j SNAT --to-source GATE-IP
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [120471:100469695]
:forward_ext - [0:0]
:input_ext - [0:0]
:reject_func - [0:0]
-A INPUT -p icmp -m icmp --icmp-type 14 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 13 -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT
-A INPUT -p udp -m udp --dport 5353 -m pkttype --pkt-type multicast -j ACCEPT
-A INPUT -j input_ext
-A INPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-IN-ILL-TARGET " --log-tcp-options --log-ip-options
-A INPUT -j DROP
-A FORWARD -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options
-A FORWARD -d FRONTEND-IP/32 -p tcp -m tcp --dport 58443 -m state --state NEW -j ACCEPT
-A FORWARD -d PBE-IP/32 -p tcp -m tcp --dport 48443 -m state --state NEW -j ACCEPT
-A FORWARD -d PBE-IP/32 -p tcp -m tcp --dport 52001 -m state --state NEW -j ACCEPT
-A FORWARD -d PBE-IP/32 -p tcp -m tcp --dport 52007 -m state --state NEW -j ACCEPT
-A FORWARD -d PBE-IP/32 -p tcp -m tcp --dport 22020 -m state --state NEW -j ACCEPT
-A FORWARD -d PBE-IP/32 -p tcp -m tcp --dport 2010 -m state --state NEW -j ACCEPT
-A FORWARD -d PBE-IP/32 -p tcp -m tcp --dport 2040 -m state --state NEW -j ACCEPT
-A FORWARD -d PBE-IP/32 -p udp -m udp --dport 2041 -m state --state NEW -j ACCEPT
-A FORWARD -d REMOTE-COLLECTOR-1-IP/32 -p tcp -m tcp --dport 48443 -m state --state NEW -j ACCEPT
-A FORWARD -d REMOTE-COLLECTOR-2-IP/32 -p tcp -m tcp --dport 48443 -m state --state NEW -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
gate-hostname:~ # iptables-restore < iptables-fw.rules