Built into the Linux kernel is a firewall facility called ipchains.
When Load Balancer and ipchains run concurrently, Load Balancer sees packets
first, followed by ipchains. This allows the use of ipchains to harden a Linux
Load Balancer machine, which could be, for example, a Load Balancer machine
that is used to load balance firewalls.
About this task
In general, an appropriate ipchains strategy for the Load Balancer
machines is to disallow all traffic, except that which is to or from the back-end
servers, the partner high availability Load Balancer, any reach targets, or
any configuration hosts.
It is not recommended to activate
iptables when running Load Balancer on Linux kernel version 2.4.10.x. Activation
on this Linux kernel version can result in performance degradation over time.
Procedure
-
To activate iptables or ipchains, configure them to be completely
restricted, so no inbound or outbound traffic permitted. The packet-forwarding
portion of Load Balancer continues to function normally.
Some
additional traffic must be permitted for all of Load Balancer to function
properly. Some examples of this communication are:
- Advisors communicate between the Load Balancer machine and the back-end
servers.
- Load Balancer pings back-end servers, reach targets, and high availability
partner Load Balancer machines.
- User interfaces (graphical user interface, command line, and wizards)
use RMI.
- Back-end servers must respond to pings from the Load Balancer machine.
-
To deactivate iptables:
-
List the modules which are using ip_tables and ip_conntrack.
Issue the following command:
lsmod
-
Remove them by issuing the following commands:
rmmod ip_tables
rmmod ip_conntrack
When you reboot the machine these modules
will be added again, so you need to repeat these steps each time
you reboot.