We have one of our website up and running on our Nautilus infrastructure in Stratos DC. Our security team has raised a concern that right now 6000 is open for all since there is no firewall installed on these hosts. So we have decided to add some security layer for these hosts and after discussions and recommendations we have come up with below given requirements:
- Install iptables and all its dependencies on each app host.
- Block incoming port 6000 on all apps for everyone except for LBR host.
- Make sure the rules should persist even after system reboot.
Ran below commands in stapp01
Yum install –y iptables-services
systemctl enable iptables
systemctl enable ip6tables
systemctl start iptables
systemctl start ip6tables
iptables -I INPUT -p tcp ! -s 172.16.238.14 --dport 6000 -j REJECT
iptables-save > /etc/sysconfig/iptables
When i tried to telnet stapp01 from stlb01, it failed. Did I missed something?
telnet 172.16.238.10 6000