|Eucalyptus HA Installation / Configure Eucalyptus|
This topic provides guidelines for restricting network access and managing iptables rules.
This section provides basic guidance on setting up a firewall around your Eucalyptus components. It is not intended to be exhaustive.
On CLC, Walrus, SC, and VB, you should allow for the following jGroups traffic:
On the CLC, you should additionally allow the following connections:
On the CC, you should ensure that all firewall rules are compatible with the dynamic changes performed by Eucalyptus, described in the section below. You should also allow the following connections:
On Walrus, you should also allow the following connections:
On the SC, you should also allow the following connections:
On the VMware Broker, you should also allow the following connections:
On the NC, you should allow the following connections:
In Managed and Managed (No VLAN) modes, Eucalyptus flushes the CC's iptables rules for both filter and nat, then it sets the default policy for the FORWARD chain in filter to DROP. At run time, the CC adds and removes rules from FORWARD as users add and remove ingress rules from their active security groups. In addition, the nat table is configured to allow VMs access to the external network using IP masquerading, and dynamically adds/removes rules in the nat table as users assign and unassign public IPs to VMs at instance boot or run-time.
If you have rules you want to apply on the CC, make the following edit on the CC before you start Eucalyptus or while Eucalyptus is stopped:
iptables-save > /etc/eucalyptus/iptables-preload