Custom firewall rules - BlueCat Address Manager - 9.2.0

Address Manager Administration Guide

Locale
English (United States)
Product name
BlueCat Address Manager
Version
9.2.0

When you enable the service point service on a DNS/DHCP Server, several custom firewall rules are added to the PSM chains. Additional rules are added to the PREROUTING, DOCKER and OUTPUT chains. A SERVICE-POINT chain is added to ensure service point functionality and that incoming DNS queries targeting the Service Point IPv4 address are processed by the service point.
Attention:
  • Once you enable the service point, preexisting custom firewall rules are removed from the PSM chains. You can readd the preexisting custom firewall rules but you must ensure that they do not conflict with the custom firewall rules created when you enable the service point.
  • If you disable the service point, the preexisting custom firewall rules are restored.
Important: In Address Manager v9.2.0, connection tracking is disabled by default, however, once you enable the service point service, connection tracking is automatically enabled. Connection tracking must be enabled for the service point service to function properly. Do not manually disable connection tracking after configuring the service point.
The following custom firewall rules are >>>>>>> a2c5c553e... DOC-846: added note added:
"iptables -A PSM_CUSTOM_INPUT -p tcp --sport 443 -j ACCEPT",
"iptables -A PSM_CUSTOM_OUTPUT -p tcp --dport 443 -j ACCEPT",
"iptables -A PSM_CUSTOM_OUTPUT --out-interface docker0 -j ACCEPT",
"iptables -A PSM_CUSTOM_INPUT --in-interface docker0 -j ACCEPT",
"iptables -A PSM_CUSTOM_OUTPUT -o lo -j ACCEPT",
"iptables -A PSM_CUSTOM_INPUT -p tcp --sport 80 -j ACCEPT",
"iptables -A PSM_CUSTOM_OUTPUT -p tcp --dport 80 -j ACCEPT"
Chain PREROUTING (policy ACCEPT)
target   prot opt source      destination     
DNAT    tcp -- anywhere       172.24.0.55     tcp dpt:domain /* 
                                              Service Point: 
                                              dns-gateway-service */ 
                                              to:247.127.127.11:9953

DNAT    udp -- anywhere       172.24.0.55     udp dpt:domain /* 
                                              Service Point: 
                                              dns-gateway-service */ 
                                              to:247.127.127.11:9953
4:39
172.24.0.55 --> <SP IPv4> 4:39
247.127.127.11 --> <dns-gateway-service docker IP>
Redirect incoming dns queries (port 53) with destination of the Service Point IP address to the dns-gateway-service
DNAT   tcp -- anywhere     anywhere     tcp dpt:http /* Service Point: 
                                        sp-proxy */ to:247.127.127.14:80

DNAT   tcp -- anywhere     anywhere     tcp dpt:http /* Service Point: 
                                        sp-proxy */ to:247.127.127.14:80

DNAT   tcp -- anywhere     anywhere     tcp dpt:https /* Service Point: 
                                        sp-proxy */ to:247.127.127.14:443

DNAT   tcp -- anywhere     anywhere     cp dpt:https /* Service Point: 
                                        sp-proxy */ to:247.127.127.14:443

4:41
247.127.127.14 - <sp-proxy docker IP>
Redirect incoming http (port 80) and https (port 443) on any interface matching the e+ regex (eth0, eth1, ....) to the sp-proxy
Chain SERVICE-POINT (1 references)
target   prot opt source destination     
DNAT    tcp -- anywhere     anywhere    tcp dpt:http /* Service Point: 
                                        sp-proxy */ to:247.127.127.14:80

DNAT    tcp -- anywhere     anywhere    tcp dpt:https /* Service Point: 
                                        sp-proxy */ to:247.127.127.14:443
Redirect traffic on the SERVICE-POINT chain matching http (port 80) and https (port 443) and not from interface docker0 to the sp-proxy
Chain OUTPUT (policy ACCEPT)
target   prot opt source        destination     
DOCKER   all -- anywhere      !loopback/8    ADDRTYPE match dst-type LOCAL
SERVICE-POINT all -- anywhere !loopback/8    ADDRTYPE match dst-type LOCAL

Evaluate outbound traffic with any destination that is not localhost using the SERVICE_POINT chain

Important: Port 80 is open to allow you to probe the service point diagnostics. If you do not wish to leverage the diagnostics, you can disable port 80 by running the following commands:
  1. Run the following command:
    custom_fw_rules--export-rules fw.txt
  2. Modify the fw.txt file by removing the two rules emloying port 80.
  3. Run the following command:
    custom_fw_rules--import-rules fw.txt