Setting up a firewall in a secure network

Set up a firewall on all compute nodes in an IBM® Spectrum Cluster Foundation Community Edition cluster within a secure network by configuring the iptables settings.

About this task

In this task, the iptables settings are configured on all compute nodes that are placed in a secure network cluster. To configure extra security rules, more configurations might be required on the network switches.

Procedure

  1. Log in to the Web Portal as a system administrator.
  2. Click the Clusters tab and select the Cluster Templates menu item.
  3. Select an existing cluster template, and click Modify, or click New to create a cluster template.
  4. From the Cluster Template Designer, under the Prebuilt Templates menu, select Script Template > Secure Network Firewall Sample and drag the Secure Network Sample to the post-provision script layer of the tier that you want to set up a firewall on.
  5. Select the newly added Secure Network Firewall Sample and modify the script properties and variables.
    1. Go to the User-defined Variables tab, and click Add to add a variable that is named PROVISION_NICS. The type must be set to Single Value and the value must be set to the name of your provisioning network interface. For example, eth0.
    2. Go to the Properties tab. To edit the script in any way, select the Edit option. If not changes are made, the default configuration is applied to all of the nodes in this tier.
      • By default, for a provisioning NIC the following connections are enabled:
        • I/O SSH connections
        • I/O DNS connections
        • NFS server connection
          Note: This connection must be enabled for compute nodes to mount exported directories through NFS using fixed port numbers.
        • GPFS connection
        • LDAP server connection

        By default, for any other NIC, these connections are all disabled.

  6. In step 5, if no changes were made to the script, specifically, if the NFS servers are enabled to connect to fixed ports ensure that the NFS settings are correct. Otherwise, omit this step. To ensure that the IBM Spectrum Cluster Foundation Community Edition management node settings are set so that the NFS server listens to the fixed ports. These settings ensure that the compute nodes can be mounted.
    1. Modify the nfs file in the /etc/sysconfig directory. Specify fixed port numbers for the following items: 
            LOCKD_TCPPORT=32803
      LOCKD_UDPPORT=32769
      MOUNTD_PORT=892
      RQUOTAD_PORT=875
      STATD_PORT=662
      STATD_OUTGOING_PORT=2020
    2. Restart the NFS service:
      • On RHEL:
           # service nfslock restart
   # service nfs restart
   # service rpcsvcgssd restart
      • On SLES:
           # service portmap restart
   # service nfs restart
   # service rpcsvcgssd restart

Results

All compute nodes are placed in a secure network cluster.