Layer7 API Management

  • Private Community
 View Only

  • 1.  Default iptables behaviour

    Posted Oct 12, 2015 07:30 AM

    I'm running a 8.0 version of the Gateway, and simply want to understand the default behaviour of the iptables.

     

    I ask only because my 8.0 instance has been running for about 1.5 years without being rebooted, and I can see that /etc/sysconfig/iptables has a date stamp of before I deployed the instance (2013). This worries me that if I were to reboot the rules that permit some of my policies to interact over 8443 and 6443 (for example) would be blocked by the firewall rule as they were not set to persist. Can someone give me just a little confidence that these iptables rules have been "iptables-save"d so that they persist a reboot.

     

    (We have just seen a very strange scenario where these rules did no appear to persist, but are unsure on the forensics of who did what, and understanding the default behaviour will allow us to account for it in the future. I appreciate from the iptables comments that this is a machine updated configuration.)

     

    Thanks in advance

     

    Jonathan



  • 2.  Re: Default iptables behaviour

    Broadcom Employee
    Posted Oct 12, 2015 08:01 AM

    Hi Belialcouk,

     

    I do not know 8.0 version but in our 8.2 iptables config is persistant.

    It is very likely that such behavior are identical with older version (rebooting gateway process is a basic need, even in prod. env !).

     

    Some experienced user will probably confirm you my thoughts.

     

    Have a nice day.



  • 3.  Re: Default iptables behaviour

    Posted Oct 12, 2015 09:29 AM

    It seems obvious really that it should persist... but I just want some confidence with 8.0 specifically, and it not being a known-issue. Thanks for confirmation that 8.2 is covered.



  • 4.  Re: Default iptables behaviour
    Best Answer

    Posted Oct 12, 2015 10:10 AM

    Hi Jonathan,

     

    In recent versions, the gateway comes with a default iptables ruleset which should not be manually changed. In older versions there have been occasions where there were instructions to change the iptables config manually, for instance to enable SNMP or a port 443 to 8443 redirect. Currently, all these changes can and should be done through the Manage Firewall Rules option in the Manage Listen Ports dialog. This will automatically affect the runtime iptables configuration and also make sure that this configuration is saved and applied after a reboot. In the same way, the Policy Manager will also open a port in iptables when you add a new listen port in the Managa Listen Ports dialog. So as long as you use this process to manage your firewall, you should be safe.

    Hope that helps.

     

    Regards,

    Michiel