Follow Me Icons

 

Follow @KendrickColeman on TwitterConnect on LinkedInWatch My Videos on YouTubeFollow me on FacebookCheck Out My Projects on GitHubStay Up To Date with RSS

Search

BSA 728x90 Center Banner

vCloud Director RHEL Firewall Settings - RHEL5 and RHEL6

*UPDATED 4/19/13 FOR RHEL6* SCROLL TO END OF ARTICLE

 

This has been a fun project because I'm a n00b at Linux. If you know a better way of implementing this, please let me know. Most of the walkthroughs you find online about setting up a vCloud Director Cell (such as yellow-bricks) talk about just turning the firewall off completely or they completely skip this step. I see why now. There are a bunch of services that need to talk not only to other vCloud Cells, but to other services all around the datacenter.

 

The VMware vCloud Installation and Configuration Guide shows us what ports need to be open, but I came up with a few different kinds of implementation scenarios.

 

The first thing you need to do during the initial setup is to make sure the Firewall is enabled and turn off any services that are checkmarked by default (SSH should be our only default)

 

 

 

I also tend to set SELinux to Permissive because I don't know much about it.

 

 

To edit your firewall on RHEL simply be the root user and either vi or nano your iptables system configuration:

su -

nano /etc/sysconfig/iptables

If you are using nano, press ctrl+x and y to save your configuration. If you're using vi, the press :qw

 

After these configurations are done, you can either reboot your cell or you can restart the firewall services by running:

/etc/init.d/iptables restart

 

to view the current firewall configuration:

iptables --list

 

For every one of these configurations they are put in the middle of these lines:

-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT

.....

..... #Begin Listing vCloud Director Ports

.....

-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

COMMIT

 

 

The first scenario is something to make it more secure than just disabling the firewall, but not getting so granular that it looks like you're running an ASA.

 

# Begin listing vCloud Director Ports Needed
# vCloud WebServices & vCenter/ESX Connections
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
# vCloud Optional
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
# SSH
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
# vCloud Remote Console
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 902 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 903 -j ACCEPT
#NFS
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --sport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --sport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 920 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --sport 920 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 920 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --sport 920 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --sport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --sport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 32803 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 32769 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 892 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 892 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 875 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 875 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 662 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 662 -j ACCEPT
#DNS
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT
#NTP
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 123 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 123 -j ACCEPT
#LDAP
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 389 -j ACCEPT
#SMTP
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 25 -j ACCEPT
#Syslog
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 514 -j ACCEPT
#vCenter & ESX
#-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 902 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 903 -j ACCEPT
#Default Microsoft SQL Connections
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 1433 -j ACCEPT
#Default Oracle Port Connections
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 1521 -j ACCEPT
#AMQP Messaging (if Server exists)
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5672 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 5672 -j ACCEPT
#ActiveMQ
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 61611 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 61616 -j ACCEPT
# End listing vCloud Director Ports Needed

 

 

This second scenario hardens it a bit by calling out specific IPs. I would use IPs before DNS or FQDN because during startup, the iptables fails to load DNS and FQDN name because DNS isn't working all the way. If you can script /etc/init.d/iptables restart to run after boot, then DNS or FQDN will work. :

 

# Begin listing vCloud Director Ports Needed
# vCloud WebServices
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
# vCloud Optional
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
# SSH
-A RH-Firewall-1-INPUT -i eth1 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
# vCloud Remote Console
-A RH-Firewall-1-INPUT -i eth1 -m state --state NEW -m tcp -p tcp --dport 902 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth1 -m state --state NEW -m tcp -p tcp --dport 903 -j ACCEPT
#NFS Trasfer Service from other vCD Cells - Add for every vCD Cell
-A RH-Firewall-1-INPUT -d IP_of_vCD-Cell -i eth0 -m state --state NEW -m tcp -p tcp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -d IP_of_vCD-Cell -i eth0 -m state --state NEW -m udp -p udp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -d IP_of_vCD-Cell -i eth0 -m state --state NEW -m tcp -p tcp --dport 920 -j ACCEPT
-A RH-Firewall-1-INPUT -d IP_of_vCD-Cell -i eth0 -m state --state NEW -m udp -p udp --dport 920 -j ACCEPT
#NFS Transfer Service NFS Datastore
-A RH-Firewall-1-INPUT -d IP_of_NFS_Server -m state --state NEW -m tcp -p tcp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -d IP_of_NFS_Server -m state --state NEW -m tcp -p tcp --sport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -d IP_of_NFS_Server -m state --state NEW -m udp -p udp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -d IP_of_NFS_Server -m state --state NEW -m udp -p udp --sport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -d IP_of_NFS_Server -m state --state NEW -m tcp -p tcp --dport 920 -j ACCEPT
-A RH-Firewall-1-INPUT -d IP_of_NFS_Server -m state --state NEW -m tcp -p tcp --sport 920 -j ACCEPT
-A RH-Firewall-1-INPUT -d IP_of_NFS_Server -m state --state NEW -m udp -p udp --dport 920 -j ACCEPT
-A RH-Firewall-1-INPUT -d IP_of_NFS_Server -m state --state NEW -m udp -p udp --sport 920 -j ACCEPT
-A RH-Firewall-1-INPUT -d IP_of_NFS_Server -m state --state NEW -m tcp -p tcp --dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -d IP_of_NFS_Server -m state --state NEW -m tcp -p tcp --sport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -d IP_of_NFS_Server -m state --state NEW -m tcp -p tcp --dport 32803 -j ACCEPT
-A RH-Firewall-1-INPUT -d IP_of_NFS_Server -m state --state NEW -m udp -p udp --dport 32769 -j ACCEPT
-A RH-Firewall-1-INPUT -d IP_of_NFS_Server -m state --state NEW -m tcp -p tcp --dport 892 -j ACCEPT
-A RH-Firewall-1-INPUT -d IP_of_NFS_Server -m state --state NEW -m udp -p udp --dport 892 -j ACCEPT
-A RH-Firewall-1-INPUT -d IP_of_NFS_Server -m state --state NEW -m tcp -p tcp --dport 875 -j ACCEPT
-A RH-Firewall-1-INPUT -d IP_of_NFS_Server -m state --state NEW -m udp -p udp --dport 875 -j ACCEPT
-A RH-Firewall-1-INPUT -d IP_of_NFS_Server -m state --state NEW -m tcp -p tcp --dport 662 -j ACCEPT
-A RH-Firewall-1-INPUT -d IP_of_NFS_Server -m state --state NEW -m udp -p udp --dport 662 -j ACCEPT
#DNS - Configure for every DNS Server
-A RH-Firewall-1-INPUT -d IP_of_DNS_Server -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -d IP_of_DNS_Server -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT
#NTP - Configure for every NTP Server
-A RH-Firewall-1-INPUT -d IP_of_NTP_Server -m state --state NEW -m tcp -p tcp --dport 123 -j ACCEPT
-A RH-Firewall-1-INPUT -d IP_of_NTP_Server -m state --state NEW -m udp -p udp --dport 123 -j ACCEPT
#LDAP - Confiugre for every LDAP Server
-A RH-Firewall-1-INPUT -d IP_of_LDAP_Server -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT
-A RH-Firewall-1-INPUT -d IP_of_LDAP_Server -m state --state NEW -m udp -p udp --dport 389 -j ACCEPT
#SMTP - Configure for every SMTP Server
-A RH-Firewall-1-INPUT -d IP_of_SMTP_Server -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -d IP_of_SMTP_Server -m state --state NEW -m udp -p udp --dport 25 -j ACCEPT
#Syslog - Configure for every Sysog Server
-A RH-Firewall-1-INPUT -d IP_of_Syslog_Server -m state --state NEW -m udp -p udp --dport 514 -j ACCEPT
#vCenter & ESX the simple way
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 902 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 903 -j ACCEPT
#vCenter & ESX - Configure for every vCenter & ESXi_Server
#-A RH-Firewall-1-INPUT -d IP_of_vCenter&ESXi_Server -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
#-A RH-Firewall-1-INPUT -d IP_of_vCenter&ESXi_Server -m state --state NEW -m tcp -p tcp --dport 902 -j ACCEPT
#-A RH-Firewall-1-INPUT -d IP_of_vCenter&ESXi_Server -m state --state NEW -m tcp -p tcp --dport 903 -j ACCEPT
#Default Microsoft SQL Connections
-A RH-Firewall-1-INPUT -d IP_of_SQL_Server -m state --state NEW -m tcp -p tcp --dport 1433 -j ACCEPT
#Default Oracle Port Connections
-A RH-Firewall-1-INPUT -d IP_of_Oracle_Server -m state --state NEW -m tcp -p tcp --dport 1521 -j ACCEPT
#AMQP Messaging for task extensions (if Server exists)
-A RH-Firewall-1-INPUT -d IP_of_AMQP_Server -m state --state NEW -m tcp -p tcp --dport 5672 -j ACCEPT
-A RH-Firewall-1-INPUT -d IP_of_AMQP_Server -m state --state NEW -m udp -p udp --dport 5672 -j ACCEPT
#ActiveMQ between vCD Cells
-A RH-Firewall-1-INPUT -d IP_of_vCD-Cell -m state --state NEW -m tcp -p tcp --dport 61611 -j ACCEPT
-A RH-Firewall-1-INPUT -d IP_of_vCD-Cell -m state --state NEW -m tcp -p tcp --dport 61616 -j ACCEPT
#ActiveMQ to Server
-A RH-Firewall-1-INPUT -d IP_of_ActiveMQ -m state --state NEW -m tcp -p tcp --dport 61611 -j ACCEPT
-A RH-Firewall-1-INPUT -d IP_of_ActiveMQ -m state --state NEW -m tcp -p tcp --dport 61616 -j ACCEPT
# End listing vCloud Director Ports Needed

 

 

 

This 3rd scenario takes into account Hany Michaels 3 vNIC approach having the vCD Cell sitting in the DMZ on the public facing internet - Publishing the vCloud Director portal on the Internet. In addition to the following, I would hash out (#) the lines that allow SSH and ping replys so they aren't accessible on the internet. You could also close port 631, which from my research is just for CUPS printing

#-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT

#-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT

#-A RH-Firewall-1-INPUT -p tcp -mtcp --dport 631 -j ACCEPT

 

Even more secure with 3 vNICs and Public Facing vCD Cell

# Begin listing vCloud Director Ports Needed
# vCloud WebServices
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
# vCloud Optional
#-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
# SSH
-A RH-Firewall-1-INPUT -i eth2 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
# vCloud Remote Console
-A RH-Firewall-1-INPUT -i eth1 -m state --state NEW -m tcp -p tcp --dport 902 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth1 -m state --state NEW -m tcp -p tcp --dport 903 -j ACCEPT
#NFS Trasfer Service from other vCD Cells - Add for every vCD Cell
-A RH-Firewall-1-INPUT -d IP_of_vCD-Cell -i eth2 -m state --state NEW -m tcp -p tcp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -d IP_of_vCD-Cell -i eth2 -m state --state NEW -m udp -p udp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -d IP_of_vCD-Cell -i eth2 -m state --state NEW -m tcp -p tcp --dport 920 -j ACCEPT
-A RH-Firewall-1-INPUT -d IP_of_vCD-Cell -i eth2 -m state --state NEW -m udp -p udp --dport 920 -j ACCEPT
#NFS Transfer Service NFS Datastore
-A RH-Firewall-1-INPUT -d IP_of_NFS_Server -i eth2 -m state --state NEW -m tcp -p tcp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -d IP_of_NFS_Server -i eth2 -m state --state NEW -m tcp -p tcp --sport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -d IP_of_NFS_Server -i eth2 -m state --state NEW -m udp -p udp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -d IP_of_NFS_Server -i eth2 -m state --state NEW -m udp -p udp --sport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -d IP_of_NFS_Server -i eth2 -m state --state NEW -m tcp -p tcp --dport 920 -j ACCEPT
-A RH-Firewall-1-INPUT -d IP_of_NFS_Server -i eth2 -m state --state NEW -m tcp -p tcp --sport 920 -j ACCEPT
-A RH-Firewall-1-INPUT -d IP_of_NFS_Server -i eth2 -m state --state NEW -m udp -p udp --dport 920 -j ACCEPT
-A RH-Firewall-1-INPUT -d IP_of_NFS_Server -i eth2 -m state --state NEW -m udp -p udp --sport 920 -j ACCEPT
-A RH-Firewall-1-INPUT -d IP_of_NFS_Server -i eth2 -m state --state NEW -m tcp -p tcp --dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -d IP_of_NFS_Server -i eth2 -m state --state NEW -m tcp -p tcp --sport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -d IP_of_NFS_Server -i eth2 -m state --state NEW -m tcp -p tcp --dport 32803 -j ACCEPT
-A RH-Firewall-1-INPUT -d IP_of_NFS_Server -i eth2 -m state --state NEW -m udp -p udp --dport 32769 -j ACCEPT
-A RH-Firewall-1-INPUT -d IP_of_NFS_Server -i eth2 -m state --state NEW -m tcp -p tcp --dport 892 -j ACCEPT
-A RH-Firewall-1-INPUT -d IP_of_NFS_Server -i eth2 -m state --state NEW -m udp -p udp --dport 892 -j ACCEPT
-A RH-Firewall-1-INPUT -d IP_of_NFS_Server -i eth2 -m state --state NEW -m tcp -p tcp --dport 875 -j ACCEPT
-A RH-Firewall-1-INPUT -d IP_of_NFS_Server -i eth2 -m state --state NEW -m udp -p udp --dport 875 -j ACCEPT
-A RH-Firewall-1-INPUT -d IP_of_NFS_Server -i eth2 -m state --state NEW -m tcp -p tcp --dport 662 -j ACCEPT
-A RH-Firewall-1-INPUT -d IP_of_NFS_Server -i eth2 -m state --state NEW -m udp -p udp --dport 662 -j ACCEPT
#DNS - Configure for every DNS Server
-A RH-Firewall-1-INPUT -d IP_of_DNS_Server -i eth2 -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -d IP_of_DNS_Server -i eth2 -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT
#NTP - Configure for every NTP Server
-A RH-Firewall-1-INPUT -d IP_of_NTP_Server -i eth2 -m state --state NEW -m tcp -p tcp --dport 123 -j ACCEPT
-A RH-Firewall-1-INPUT -d IP_of_DNS_Server -i eth2 -m state --state NEW -m udp -p udp --dport 123 -j ACCEPT
#LDAP - Confiugre for every LDAP Server
-A RH-Firewall-1-INPUT -d IP_of_LDAP_Server -i eth2 -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT
-A RH-Firewall-1-INPUT -d IP_of_LDAP_Server -i eth2 -m state --state NEW -m udp -p udp --dport 389 -j ACCEPT
#SMTP - Configure for every SMTP Server
-A RH-Firewall-1-INPUT -d IP_of_SMTP_Server -i eth2 -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -d IP_of_SMTP_Server -i eth2 -m state --state NEW -m udp -p udp --dport 25 -j ACCEPT
#Syslog - Configure for every Sysog Server
-A RH-Firewall-1-INPUT -d IP/DNS/FQDN_of_Syslog_Server -i eth2 -m state --state NEW -m udp -p udp --dport 514 -j ACCEPT
#vCenter & ESX the simple way
-A RH-Firewall-1-INPUT -i eth2 -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth2 -m state --state NEW -m tcp -p tcp --dport 902 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth2 -m state --state NEW -m tcp -p tcp --dport 903 -j ACCEPT
#vCenter & ESX - Configure for every vCenter & ESXi_Server
#-A RH-Firewall-1-INPUT -d IP_of_vCenter&ESXi_Server -i eth2 -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
#-A RH-Firewall-1-INPUT -d IP_of_vCenter&ESXi_Server -i eth2 -m state --state NEW -m tcp -p tcp --dport 902 -j ACCEPT
#-A RH-Firewall-1-INPUT -d IP_of_vCenter&ESXi_Server -i eth2 -m state --state NEW -m tcp -p tcp --dport 903 -j ACCEPT
#Default Microsoft SQL Connections
-A RH-Firewall-1-INPUT -d IP_of_SQL_Server -i eth2 -m state --state NEW -m tcp -p tcp --dport 1433 -j ACCEPT
#Default Oracle Port Connections
-A RH-Firewall-1-INPUT -d IP_of_Oracle_Server -i eth2 -m state --state NEW -m tcp -p tcp --dport 1521 -j ACCEPT
#AMQP Messaging for task extensions (if Server exists)
-A RH-Firewall-1-INPUT -d IP_of_AMQP_Server -i eth2 -m state --state NEW -m tcp -p tcp --dport 5672 -j ACCEPT
-A RH-Firewall-1-INPUT -d IP_of_AMQP_Server -i eth2 -m state --state NEW -m udp -p udp --dport 5672 -j ACCEPT
#ActiveMQ between vCD Cells
-A RH-Firewall-1-INPUT -d IP_of_vCD-Cell -i eth2 -m state --state NEW -m tcp -p tcp --dport 61611 -j ACCEPT
-A RH-Firewall-1-INPUT -d IP_of_vCD-Cell -i eth2 -m state --state NEW -m tcp -p tcp --dport 61616 -j ACCEPT
#ActiveMQ to Server
-A RH-Firewall-1-INPUT -d IP_of_ActiveMQ -i eth2 -m state --state NEW -m tcp -p tcp --dport 61611 -j ACCEPT
-A RH-Firewall-1-INPUT -d IP_of_ActiveMQ -i eth2 -m state --state NEW -m tcp -p tcp --dport 61616 -j ACCEPT
# End listing vCloud Director Ports Needed

 

 

 

Again, I'm a Linux n00b, so if something seems incorrect, please make a comment.

 

---------- UPDATE 4/19/13

RHEL 6 changed these scripts just a tiny but. Instead of RH-Firewall-1-INPUT, all you need is INPUT.

 

# Simple FIREWALL rules
# Begin listing vCloud Director Ports Needed with RHEL 6
# vCloud WebServices & vCenter/ESX Connections
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
# vCloud Optional
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
# SSH
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
# vCloud Remote Console
-A INPUT -m state --state NEW -m tcp -p tcp --dport 902 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 903 -j ACCEPT
#NFS
-A INPUT -m state --state NEW -m tcp -p tcp --dport 111 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --sport 111 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 111 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --sport 111 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 920 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --sport 920 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 920 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --sport 920 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 2049 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --sport 2049 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 2049 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --sport 2049 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 32803 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 32769 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 892 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 892 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 875 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 875 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 662 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 662 -j ACCEPT
#DNS
-A INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT
#NTP
-A INPUT -m state --state NEW -m tcp -p tcp --dport 123 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 123 -j ACCEPT
#LDAP
-A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 389 -j ACCEPT
#SMTP
-A INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 25 -j ACCEPT
#Syslog
-A INPUT -m state --state NEW -m udp -p udp --dport 514 -j ACCEPT
#vCenter & ESX
#-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 902 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 903 -j ACCEPT
#Default Microsoft SQL Connections
-A INPUT -m state --state NEW -m tcp -p tcp --dport 1433 -j ACCEPT
#Default Oracle Port Connections
-A INPUT -m state --state NEW -m tcp -p tcp --dport 1521 -j ACCEPT
#AMQP Messaging (if Server exists)
-A INPUT -m state --state NEW -m tcp -p tcp --dport 5672 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 5672 -j ACCEPT
#ActiveMQ
-A INPUT -m state --state NEW -m tcp -p tcp --dport 61611 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 61616 -j ACCEPT
# End listing vCloud Director Ports Needed

 

 

You can download the .txt files below because copy/paste from this site won't work very well.

Related Items