Manualshelf

Incorporating External NICs HowTo

ManualsBrandsHP ManualsSoftwareHP XC System 3.x Software
11121314151617181920
5
This line opens virtual port 22 for TCP on the fourth additional physical external Ethernet
port, External4. The subsequent line performs the same function for virtual port 443.
You can modify these lines in the iptables.proto file to configure each logical network
independently from the others across the HP XC system.
When no Ethernet device serves in the position of a particular network, the line in the
iptables.proto file is ignored. In effect, the line is dropped from the actual configuration.
See Chapter 11 of the HP XC System Software Administration Guide for information on opening IP
ports in the firewall.
4.4.1 Node-Specific Format for the -i Option
The iptables.proto file also has a node-specific format that allows you to control a virtual
port for external Ethernet ports only on selected nodes:
-i condensed_nodelist[::External[n]]
This syntax allows you to open or close ports for a given physical external Ethernet port on the
nodes specified by the condensed_nodelist. For example:
-A RH-Firewall-1-INPUT -i External -p tcp -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -i External -p tcp -m tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -i External1 -p tcp -m tcp --dport 22 -j ACCEPT
1
-A RH-Firewall-1-INPUT -i External1 -p tcp -m tcp --dport 443 -j ACCEPT
2
-A RH-Firewall-1-INPUT -i n19::External1 -p tcp -m tcp --dport 20,21 -j ACCEPT
3
-A RH-Firewall-1-INPUT -i External2 -p tcp -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -i External2 -p tcp -m tcp --dport 443 -j ACCEPT
...
1
This line opens virtual port 22 for TCP on the first added physical external Ethernet port,
External1, on all nodes in the HP XC system.
The text -i External1 matches all nodes, so virtual port 22 will be open on all nodes with
External1 connections.
1
This line opens virtual port 443 for TCP on the first added physical external Ethernet port,
External1, on all nodes in the HP XC system.
The text -i External1 matches all nodes, so virtual port 443 will be open on all nodes
with External1 connections.
3
This line opens the ftp virtual ports (20 and 21) on the first added physical external Ethernet
port, External1, on node n19.
Additional examples of this syntax are as follows:
-A RH-Firewall-1-INPUT -i n23::External1 -p tcp -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -i n[5,17]::External1 -p tcp -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -i n[9-11,20,33-34]::External1 -p tcp -m tcp --dport 22 -j ACCEPT
4.4.2 IPv6 Configuration
If you are using IPv6, you need to configure the /etc/sysconfig/ip6tables.proto file.
The method for doing so is analogous to configuring the iptables.proto file.
4.4.3 Verifying the Updated CMDB
After using the device_config command to update the Configuration and Management
Database, use the shownode command to verify that the database contains the correct data.
Enter the following commands to display the data to a file, then use the editor of your choice to
examine the file:
# shownode config nodes > /tmp/cmdb_outputfile
Locate the output that corresponds to the node you changed:
n19:
attributes:
node_status: up
18