I agree that there is a problem with the wording of the question, because I did the same and got Faild Task also.
Q. * Block incoming port 8084 on all apps for everyone except for LBR host.
Does not say, “Ports to be blocked for all other hosts”
Do they want to:
Block all ports on all AppServers?
Block all ports for all hosts, except 8084 for LBR host.
Does “everyone” refer to every user or every host in Stratos except LBR?
P.S. I thought that I should add my thoughts to your question because we had similar implementation. Only LBR could get http service from AppServers.
“Q. * Block incoming port 8084 on all apps for everyone except for LBR host.”
Hi @bernardo_estevao following steps worked for me: Installation of IPtables: #yum install iptables-services -y #systemctl start iptables #systemctl enable iptables
Adding the rules as per task
According to the question we have to allow app server access through LBR host and that too only on the port as mentioned in the task . The 2nd thing here is we need to reject for “every” other incoming connection on port mentioned.
IPTables check rules in a sequential manner so when we install iptables the last rule in INPUT table is of reject all. So I first replaced the rule using -R with
this one:
iptables -R INPUT 5 -p tcp --destination-port -s 172.16.238.14 -j ACCEPT
and then appended this rule the table:
iptables -A INPUT -p tcp --destination-port -j DROP
Accordingly first iptables will check for accept rule and will allow for the incoming connection on the particular port from the LBR host and then it will go to the next rule which reject connections coming on that port.
If we do the vice versa here , it will DROP every connection coming on to that port that is we have placed ACCEPT rule first.
At last do not forget to save this rules to be persistent and check whether it is accessible from LBR host and rejects every other host. #service iptables save
Do let me know , if there is anything to add, while doing this task second time I found many people are stuck with this task , so I thought to write about it . Also hope this helps people who are attempting this task and are pretty new to the iptables concept.
I have just finished iptables task but it said FAILED but in fact I think I did all good.
It says that the rule was not added permanently on App Server 1 but I did sudo /sbin/iptables-save command. @Inderpreet could you please check it out.
Hi @OndrejH , I can’t see any appended rule for INPUT table in the iptables-save command output , as required for the task, that is why it failed . Please check once , or refer the steps which I have provided above in this thread itself. See if this works.
thanks for reply. I forgot to add the additional screenshot which shows the INPUT rule (the screenshot from previous comment is not complete).
This is the rest of the screenshot:
HI Akshayyw , even though I have success with this task, I couldn’t validate my work.
I have used the commands as follows
iptables -A INPUT -p tcp --destination-port 5002 -s 172.16.238.14 -j ACCEPT
iptables -A INPUT -p tcp --destination-port 5002 -j DROP
when I try to telnet from load balancer using the 5002 port, it shows no route to host.
i tried the command as telnet stapp03 5002.What I have done wrong here?please take a look at the attached screenshot.Any help will be appreciated.Thanks.
Hi @nidhincn , the rules you set are correct , that is why it is marked as success. You are using incorrect syntax for curl command . It should be just #curl stapp01:5002 , no need to add username tony there.
I followed these two articles to completing this task.
Updated iptables settings on app1, 2 and 3 as below.
iptables -A INPUT -p tcp --destination-port 3004 -s 172.16.238.14 -j ACCEPT
iptables -A INPUT -p tcp --destination-port 3004 -j DROP
I followed this screenshot to verify my task.
I got the same results as Nidhi. However, my task was failed after I submitted the task.
one of you please let me know where I failed? btw, this is the failed error message details on my task.
The task details shows the error that the rules have not been added permanently,.
Did you do #service iptables save? Also no need to add username tony there for curl , same what nidhi did.
Hi Akshay,
I did save the iptables, also while doing curl I did leave out the username.
however, as I recall on app1 I might have executed these commands.
I should have retried it instead of submitting the results. Thank you
iptables -R INPUT 5 -p tcp --destination-port -s 172.16.238.14 -j ACCEPT
and then appended this rule the table:
iptables -A INPUT -p tcp --destination-port -j DROP
Yeah I had posted this earlier the reason I replaced the first rule because already there is a reject entry in the tables by default and iptables check rules preferentially.
Below was the port number assigned in my task
-A INPUT -p tcp --destination-port 5003 -s 172.16.238.14 -j ACCEPT
-A INPUT -p tcp --destination-port 5003 -j DROP