Default open ports
The following ports are open by default on the IBM® StoredIQ®.
SSH port 22
By default, port 22 is open on all IBM StoredIQ hosts. The port is used for Secure Shell (SSH) communication and allows remote administration access to the VM. In general, traffic is encrypted using password authentication. To add a layer of security, you can establish key-based authentication for passwordless SSH logins to any of the IBM StoredIQ nodes in your environment as described in Configuring SSH key-based authentication.
Default open ports on the AppStack
Port number | Protocol |
---|---|
22 | tcp |
80 | tcp |
443 | tcp |
Default open ports on the IBM StoredIQ data server
Port number | Protocol | Service |
---|---|---|
22 | tcp | PROD-ssh |
80 | tcp | PROD-web |
443 | tcp | PROD-https (UI and Web Services APIs) |
11103 | tcp | PROD-transport (IBM StoredIQ transport services; communication between the gateway and the data server) |
11104 |
Enable or disable ports or services on the IBM StoredIQ data server
python /usr/local/storediq/bin/util/port_handler.pyc -parameter
- -s
- To list the current rules in iptables
- -l
- To list the supported services
- -d port_number|'port_range'
- To delete a port or a range of port numbers from iptables, for example:
python /usr/local/storediq/bin/util/port_handler.pyc -d '21200:21299'
- -e 'service_name'
- To enable a specific service, for example, to enable HTTPS services:
python /usr/local/storediq/bin/util/port_handler.pyc -e 'PROD-https'
- -d 'service_name'
- To disable a specific service, for example, to disable HTTPS services:
python /usr/local/storediq/bin/util/port_handler.pyc -d 'PROD-https'
Default open ports on the nodes in the Elasticsearch cluster
Port number | Protocol | Service |
---|---|---|
21 | tcp | ftp |
22 | tcp | sshd |
80 | tcp | |
443 | tcp | |
8888 | tcp | SimpleHTTPServer (used for copying the siq-elasticsearch.yml configuration file from the Elasticsearch node to the data server) |
9200 | tcp6 | docker-proxy (listening for REST requests) You can restrict access to this port by enabling stunnel with HTTPS or by setting up a firewall. For more information, see Securing Elasticsearch cluster communication or Restricting access to port 9200 on Elasticsearch nodes. |
9300 | tcp6 | docker-proxy (internode communication) |
Default open ports on the IBM StoredIQ gateway
Port number | Protocol | Service |
---|---|---|
22 | tcp | PROD-ssh |
80 | tcp | PROD-web |
443 | tcp | PROD-https (UI and Web Services APIs) |
5432 | tcp | PROD-postgres |
5434 | tcp | PROD-transport (IBM StoredIQ transport services; communication between the gateway and the data server) |
8765 | ||
7766 | ||
11102 | ||
11103 | ||
11104 |
Supported chain and rules on the IBM StoredIQ gateway
In iptables, the following firewall and chain rules are defined:
'PROD-transport':['5434','8765','7766','11102','11103','11104'],
'PROD-https':['443'],
'PROD-ssh':['22'],
'PROD-web':['80'],
'PROD-postgres':[’5432’]
'desktop' service:
'PROD-broker':['21000'],
'PROD-collectionsvc':['21300:21399'],
'PROD-desktopupgrade':['21004'],
'PROD-objlistmgr':['21100:21199'],
'PROD-objlistsvc':['21200:21299'],
'PROD-registration':['21001'],
'PROD-session':['21002'],
'PROD-task':['21003'],
Open ports for desktop client access to the data server
- Log in to the data server as root and run this command:
python /usr/local/storediq/bin/util/port_handler.pyc -e desktop
- Run this command:
iptables -L INPUT
In the output of the command, check the list position of the rule that is named
PROD-reject
, for example, the6th
position on the list. - Run this command:
iptables -A INPUT -j PROD-reject
- Run this command:
iptables -D INPUT list_position
list_position is the position number of the PROD-reject rule that you determined in step 2.
- Run the following command:
python /usr/local/storediq/bin/util/port_handler.pyc -e desktop