Troubleshooting
Problem
For security reasons you may want to block specific ports in your Netezza appliance environment. The iptables command line program can be used to achieve that goal.
Resolving The Problem
The iptables command is a Linux firewall service. According to netfilter.org, "iptables is the userspace command line program used to configure the Linux 2.4.x and 2.6.x IPv4 packet filtering ruleset."
Note: There could be connectivity or performance issues if iptables is configured incorrectly.
By default, NPS does not configure or run iptables. You can, however, use iptables to block ports. In this example, we will be blocking the following ports on the NPS:
tcp/80
tcp/21
tcp/111
To block these ports, follow the instructions below.
1. As user root, stop the iptables service:
service iptables stop
2. Delete the current iptables file:
rm -f /etc/sysconfig/iptables
3. Start iptables:
service iptables start
4. Copy/paste the following commands to the CLI:
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 80 -j DROP
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 21 -j DROP
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 111 -j DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p all -j ACCEPT
iptables -A OUTPUT -p all -j ACCEPT
5. Save the new iptables configuration:
iptables-save -c > /etc/sysconfig/iptables
6. List the configuration to verify filters:
iptables -L
7. To test, use the netcat command from another Linux host to check each port on the NPS. For example:
For TCP ports
nc -zv nps_host port
For UDP ports add the 'u' option:
nc -zvu nps_host port
The following is a sample result of running netcat on tcp/80 after using iptables to block tcp/80:
[nz@NZ80673-H1 ~]$ nc -zv cs-spubox1 80
nc: connect to cs-spubox1 port 80 (tcp) failed: Connection refused
Historical Number
NZ127164
Was this topic helpful?
Document Information
Modified date:
17 October 2019
UID
swg21566607