When you enable the service point service on a DNS/DHCP Server, several custom
firewall rules are added to the PSM chains. Additional rules are added to the
PREROUTING, DOCKER and OUTPUT chains. A SERVICE-POINT chain is added to ensure
service point functionality and that incoming DNS queries targeting the Service
Point IPv4 address are processed by the service point.
Attention:
- Once you enable the service point, preexisting custom firewall rules are removed from the PSM chains. You can readd the preexisting custom firewall rules but you must ensure that they do not conflict with the custom firewall rules created when you enable the service point.
- If you disable the service point, the preexisting custom firewall rules are restored.
Important: In Address Manager v9.2.0, connection tracking is disabled by
default, however, once you enable the service point service, connection tracking is
automatically enabled. Connection tracking must be enabled for the service
point service to function properly. Do not manually disable connection
tracking after configuring the service point.
The following custom firewall rules are
>>>>>>> a2c5c553e... DOC-846: added note
added:
"iptables -A PSM_CUSTOM_INPUT -p tcp --sport 443 -j ACCEPT", "iptables -A PSM_CUSTOM_OUTPUT -p tcp --dport 443 -j ACCEPT", "iptables -A PSM_CUSTOM_OUTPUT --out-interface docker0 -j ACCEPT", "iptables -A PSM_CUSTOM_INPUT --in-interface docker0 -j ACCEPT", "iptables -A PSM_CUSTOM_OUTPUT -o lo -j ACCEPT", "iptables -A PSM_CUSTOM_INPUT -p tcp --sport 80 -j ACCEPT", "iptables -A PSM_CUSTOM_OUTPUT -p tcp --dport 80 -j ACCEPT"
Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT tcp -- anywhere 172.24.0.55 tcp dpt:domain /* Service Point: dns-gateway-service */ to:247.127.127.11:9953 DNAT udp -- anywhere 172.24.0.55 udp dpt:domain /* Service Point: dns-gateway-service */ to:247.127.127.11:9953 4:39 172.24.0.55 --> <SP IPv4> 4:39 247.127.127.11 --> <dns-gateway-service docker IP>
Redirect
incoming dns queries (port 53) with destination of the Service Point IP address to
the
dns-gateway-service
DNAT tcp -- anywhere anywhere tcp dpt:http /* Service Point: sp-proxy */ to:247.127.127.14:80 DNAT tcp -- anywhere anywhere tcp dpt:http /* Service Point: sp-proxy */ to:247.127.127.14:80 DNAT tcp -- anywhere anywhere tcp dpt:https /* Service Point: sp-proxy */ to:247.127.127.14:443 DNAT tcp -- anywhere anywhere cp dpt:https /* Service Point: sp-proxy */ to:247.127.127.14:443 4:41 247.127.127.14 - <sp-proxy docker IP>
Redirect
incoming http (port 80) and https (port 443) on any interface matching the e+ regex
(eth0, eth1, ....) to the
sp-proxy
Chain SERVICE-POINT (1 references) target prot opt source destination DNAT tcp -- anywhere anywhere tcp dpt:http /* Service Point: sp-proxy */ to:247.127.127.14:80 DNAT tcp -- anywhere anywhere tcp dpt:https /* Service Point: sp-proxy */ to:247.127.127.14:443
Redirect
traffic on the SERVICE-POINT chain matching http (port 80) and https (port 443) and
not from interface docker0 to the
sp-proxy
Chain OUTPUT (policy ACCEPT) target prot opt source destination DOCKER all -- anywhere !loopback/8 ADDRTYPE match dst-type LOCAL SERVICE-POINT all -- anywhere !loopback/8 ADDRTYPE match dst-type LOCAL
Evaluate outbound traffic with any destination that is not localhost using the SERVICE_POINT chain
Important: Port 80 is open to allow you to probe the service point
diagnostics. If you do not wish to leverage the diagnostics, you can disable
port 80 by running the following commands: