Differences between revisions 2 and 3
Revision 2 as of 2017-11-22 00:14:46
Size: 4121
Comment:
Revision 3 as of 2017-11-22 00:24:21
Size: 5359
Comment:
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
== iptables ==

We want nodus to make several ports available from Martian and internet. Otherwise, the access to these ports are just rejected. To enable the ports, allow this, we need to run the following commands. 8080: non-secure elog, 8081: secure-elog, 30889: web service

{{{
sudo iptables -I INPUT 5 -i enp1s0f0 -p tcp --dport 8080 -m state --state NEW,ESTABLISHED -j ACCEPT
sudo iptables -I INPUT 6 -i enp1s0f1 -p tcp --dport 8080 -m state --state NEW,ESTABLISHED -j ACCEPT
sudo iptables -I INPUT 7 -i enp1s0f0 -p tcp --dport 30889 -m state --state NEW,ESTABLISHED -j ACCEPT
sudo iptables -I INPUT 8 -i enp1s0f1 -p tcp --dport 30889 -m state --state NEW,ESTABLISHED -j ACCEPT
sudo iptables -I INPUT 9 -i enp1s0f0 -p tcp --dport 8081 -m state --state NEW,ESTABLISHED -j ACCEPT
sudo iptables -I INPUT 10 -i enp1s0f1 -p tcp --dport 8081 -m state --state NEW,ESTABLISHED -j ACCEPT
}}}

Here we need to specify two ethernet interfaces (enp1s0f0 and enp1s0f1). They could be checked by {{{ifconfig}}}

{{{
ifconfig -a
}}}

To check the current IPTable setup, the following command is useful
{{{
sudo iptables -vnL INPUT --line
}}}

To delete an entry (e.g. #3 in INPUT section)
{{{
sudo iptables -D INPUT 3
}}}
Line 3: Line 32:
- I first tried a simplest setting as possible. I installed elinks, a text based browser, to test the local access to the web. And the server worked locally but not remotely. It seemed that the ports were not open. - Tried a simplest setting as possible. I installed elinks, a text based browser, to test the local access to the web. And the server worked locally but not remotely. It seemed that the ports were not open.

iptables

We want nodus to make several ports available from Martian and internet. Otherwise, the access to these ports are just rejected. To enable the ports, allow this, we need to run the following commands. 8080: non-secure elog, 8081: secure-elog, 30889: web service

sudo iptables -I INPUT 5 -i enp1s0f0 -p tcp --dport 8080 -m state --state NEW,ESTABLISHED -j ACCEPT
sudo iptables -I INPUT 6 -i enp1s0f1 -p tcp --dport 8080 -m state --state NEW,ESTABLISHED -j ACCEPT
sudo iptables -I INPUT 7 -i enp1s0f0 -p tcp --dport 30889 -m state --state NEW,ESTABLISHED -j ACCEPT
sudo iptables -I INPUT 8 -i enp1s0f1 -p tcp --dport 30889 -m state --state NEW,ESTABLISHED -j ACCEPT
sudo iptables -I INPUT 9 -i enp1s0f0 -p tcp --dport 8081 -m state --state NEW,ESTABLISHED -j ACCEPT 
sudo iptables -I INPUT 10 -i enp1s0f1 -p tcp --dport 8081 -m state --state NEW,ESTABLISHED -j ACCEPT 

Here we need to specify two ethernet interfaces (enp1s0f0 and enp1s0f1). They could be checked by ifconfig

ifconfig -a

To check the current IPTable setup, the following command is useful

sudo iptables -vnL INPUT --line

To delete an entry (e.g. #3 in INPUT section)

sudo iptables -D INPUT 3

Apache

- Tried a simplest setting as possible. I installed elinks, a text based browser, to test the local access to the web. And the server worked locally but not remotely. It seemed that the ports were not open.

- A command "iptables" is the way to make specific ports available.

- This required to specify correct interface name. This could be checked with "ifconfig -a". nodus has two ethernet I/Fs. i.e. enp1s0f0 and enp1s0f1

- Therefore the commands are like the following:

iptables -I INPUT 5 -i enp1s0f0 -p tcp --dport 8080 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -I INPUT 6 -i enp1s0f1 -p tcp --dport 8080 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -I INPUT 7 -i enp1s0f0 -p tcp --dport 30889 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -I INPUT 8 -i enp1s0f1 -p tcp --dport 30889 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -I INPUT 9 -i enp1s0f0 -p tcp --dport 8081 -m state --state NEW,ESTABLISHED -j ACCEPT 
iptables -I INPUT 10 -i enp1s0f1 -p tcp --dport 8081 -m state --state NEW,ESTABLISHED -j ACCEPT 

- Check the iptable status. 5 to 0 are the new entries. NOTE that this modification is not permanent yet. We need to run the above commands everytime we reboot the host.

# iptables -vnL INPUT --line
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination>
1     532K 1294M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
2       62  3808 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
3    3378K 1896M INPUT_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0
4    3378K 1896M INPUT_ZONES_SOURCE  all  --  *      *       0.0.0.0/0            0.0.0.0/0
5        0     0 ACCEPT     tcp  --  enp1s0f0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8080 state NEW,ESTABLISHED
6        8   512 ACCEPT     tcp  --  enp1s0f1 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8080 state NEW,ESTABLISHED
7        0     0 ACCEPT     tcp  --  enp1s0f0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:30889 state NEW,ESTABLISHED
8        5   320 ACCEPT     tcp  --  enp1s0f1 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:30889 state NEW,ESTABLISHED
9    3378K 1896M INPUT_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0
10     113  4814 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
11   3273K 1869M REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

- Now I configured non-SSL version of 30889 server. This was done by /etc/httpd/sites-available/nodus30889_nosecure.conf and the symbolic link of it in /etc/httpd/sites-enabled.

- I realized that we need php for dokuwikis. It was installed. Maybe we need more careful configuration of php later. > sudo yum -y install php

- To work with the server daemon, use systemctl command. Currently the server is not running. > sudo systemctl (start|restart|stop|status) httpd

elogd

- The new executable seemed installed at /usr/local/sbin. The setting files are in /export/elog.

- The current (best) elog staring script is /export/elog/startELOGD.sh.

- By disabling 8081 secure elog thing, the elog is running at the port 8080. However, the elogd does not want to use the themes in /export/elog/elog-common no matter how this directory is specified for the resource dir. The only workable setup right now is to speficy the resource directory as Resource dir = /usr/local/elog in /export/elog/elog-common/elogd.cfg

- This is not the perfect solution but this allows us to use the elog. There is no true secure password for the elog, this is OK for today, I guess? We need more investigation on the theme and the SSL version of the elog (i.e. port 8081).

cd /cvs/cds/caltech/nodus_backup/etc/apache2

ELOG CFG URL = https://nodus.ligo.caltech.edu:8081/

SVN

sudo yum install subversion

NodusUpgradeNov2017 (last edited 2018-09-13 05:48:45 by KojiaraiATligoDOTorg)