HP XC System Software Administration Guide Version 3.2
NOTE: If you are using IPv6, you need to configure the /etc/sysconfig/ip6tables.proto
file. The method for doing so is analogous to configuring the iptables.proto file.
If a service is not aware of the external physical Ethernet port, it will not be able to communicate
through its corresponding virtual ports unless you custom configure the firewall.
As shipped, the firewall prototype file, /etc/sysconfig/iptables.proto, contains these
lines to configure the firewall:
-A RH-Firewall-1-INPUT -i External -p tcp -m tcp --dport 22 -j ACCEPT
1
-A RH-Firewall-1-INPUT -i External -p tcp -m tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -i External1 -p tcp -m tcp --dport 22 -j ACCEPT
2
-A RH-Firewall-1-INPUT -i External1 -p tcp -m tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -i External2 -p tcp -m tcp --dport 22 -j ACCEPT
3
-A RH-Firewall-1-INPUT -i External2 -p tcp -m tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -i External3 -p tcp -m tcp --dport 22 -j ACCEPT
4
-A RH-Firewall-1-INPUT -i External3 -p tcp -m tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -i External4 -p tcp -m tcp --dport 22 -j ACCEPT
5
-A RH-Firewall-1-INPUT -i External4 -p tcp -m tcp --dport 443 -j ACCEPT
1
This line opens virtual port 22 for TCP on the first (non-added) physical external Ethernet
port, External. The subsequent line performs the same function for virtual port 443.
2
This line opens virtual port 22 for TCP on the first additional physical external Ethernet port,
External1. The subsequent line performs the same function for virtual port 443.
3
This line opens virtual port 22 for TCP on the second additional physical external Ethernet
port, External2. The subsequent line performs the same function for virtual port 443.
4
This line opens virtual port 22 for TCP on the third additional physical external Ethernet
port, External3. The subsequent line performs the same function for virtual port 443.
5
This line opens virtual port 22 for TCP on the fourth additional physical external Ethernet
port, External4. The subsequent line performs the same function for virtual port 443.
You can modify these lines in the iptables.proto file to configure each logical network
independently from the others across the HP XC system.
When no Ethernet device serves in the position of a particular network, the line in the
iptables.proto file is ignored. In effect, the line is dropped from the actual configuration.
For information on opening IP ports in the firewall, see Chapter 12 (page 153)
Node-Specific Format for the -i Option
The iptables.proto file also has a node-specific format that allows you to control a virtual
port for external Ethernet ports only on selected nodes:
-i condensed_nodelist[::External[n]]
This syntax allows you to open or close ports for a given physical external Ethernet port on the
nodes specified by the condensed_nodelist. For example:
-A RH-Firewall-1-INPUT -i External -p tcp -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -i External -p tcp -m tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -i External1 -p tcp -m tcp --dport 22 -j ACCEPT
1
-A RH-Firewall-1-INPUT -i External1 -p tcp -m tcp --dport 443 -j ACCEPT
2
-A RH-Firewall-1-INPUT -i n19::External1 -p tcp -m tcp --dport 20,21 -j ACCEPT
3
-A RH-Firewall-1-INPUT -i External2 -p tcp -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -i External2 -p tcp -m tcp --dport 443 -j ACCEPT
...
This line opens virtual port 22 for TCP on the first added physical external Ethernet port,
External1, on all nodes in the HP XC system.
The text -i External1 matches all nodes, so virtual port 22 will be open on all nodes with
External1 connections.
22.6 Incorporating External Network Interface Cards 285