========
iptables
========

iptables-Konfiguration
----------------------

Auf der virtuellen Maschine mit dem ZEO-Server ist der Port 9000 zu öffnen::

 # system-config-firewall-tui

 Firewall-Konfiguration: Anpassen
 Trusted Dienste: WWW (HTTP)
 Andere Ports: Hinzufügen
 Port/Port-Bereich: 9000
 Protokoll: tcp

Dies generiert die Datei ``/etc/sysconfig/iptables``::

 # Firewall configuration written by system-config-firewall
 # Manual customization of this file is not recommended.
 *filter
 :INPUT ACCEPT [0:0]
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
 -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 -A INPUT -p icmp -j ACCEPT
 -A INPUT -i lo -j ACCEPT
 -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
 -A INPUT -m state --state NEW -m tcp -p tcp --dport 9000 -j ACCEPT
 -A INPUT -j REJECT --reject-with icmp-host-prohibited
 -A FORWARD -j REJECT --reject-with icmp-host-prohibited
 COMMIT

Eingehende Anfragen lassen sich überprüfen mit::

 # watch iptables --list -v
 Every 2,0s: iptables --list -v                                                                  Wed Mar 20 18:30:34 2013

 Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
  pkts bytes target     prot opt in     out     source               destination
  1476  202K ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED
     0     0 ACCEPT     icmp --  any    any     anywhere             anywhere
     1    60 ACCEPT     all  --  lo     any     anywhere             anywhere
     1    60 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpt:ssh
     0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpt:nfs
     6   360 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpt:cslistener
    18   576 REJECT     all  --  any    any     anywhere             anywhere            reject-with icmp-host-prohibited

 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
  pkts bytes target     prot opt in     out     source               destination
     0     0 REJECT     all  --  any    any     anywhere             anywhere            reject-with icmp-host-prohibited

 Chain OUTPUT (policy ACCEPT 1405 packets, 117K bytes)
  pkts bytes target     prot opt in     out     source               destination

Nun können wir uns die aktiven Internetverbindungen anschauen mit::

 # netstat -tulpen
 Aktive Internetverbindungen (Nur Server)
 Proto Recv-Q Send-Q Local Address               Foreign Address             State       Benutzer   Inode      PID/Program name
 ...
 ...        0      0 0.0.0.0:9000                0.0.0.0:*                   LISTEN      502        1302676    23572/python
 ...

Analog sollten nun auch ``iptables`` für die Instanzen konfiguriert werden.