ssh to corresponding Cassandra node and we will designate what traffic to allow and what traffic to not.
Example: On cassandra node0, follow as below
sudo iptables -A INPUT -p tcp --dport 9042 -s appserver-IP -j ACCEPT
-A, Means appends to input rules
-p, is rule to tcp protocol traffic
--dport, is for destination port
-s, source ip to be allowed
-j, tells what to do, in this case accept traffic
Now, Similarly configure to other Cassandra/DSE nodes in the same server.
sudo iptables -A INPUT -p tcp --dport 9042 -s node1-IP -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 9042 -s node2-IP -j ACCEPT
Then we also need to allow, connection to communicate across Cassandra nodes on port 7000
sudo iptables -A INPUT -p tcp --dport 7000 -s node1-IP -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 7000 -s node2-IP -j ACCEPT
Then other attempts from other nodes to be dropped, so as follows
sudo iptables -A INPUT -p tcp --dport 9042 -j DROP
sudo iptables -A INPUT -p tcp --dport 7000 -j DROP
***
Verify by doing telnet to corresponding node from any other remote servers. Example "telnet node0 9042", it can't connect.
***
No comments:
Post a Comment