wiki:SystemAdministration/Hosts/idp1-clarin.esc.rzg.mpg.de

Context Navigation

Version 39 (modified by André Moreira, 6 years ago) (diff)
--

idp1-clarin.esc.rzg.mpg.de

Basic information

Updates

Manual, by sysops.

History

Date	Updater	Changes	Comments	Details
2018-08-09	andmor	Upgraded 100, Installed 2, Removed 1		details
2016-02-18	wilelb	Upgraded 1, Installed 137, Removed 1	SL7.2 + CVE-2015-7547 patch	details
2016-02-02	wilelb	Upgraded		details

Backups

Managed by sysops.

No backups configured.

Firewall

External

Managed by RZG support (clarin-support@rzg.mpg.de).

Port	Purpose
80	HTTP (can be closed soon)
443	HTTPS (can be closed soon)
8443	HTTPS tomcat running discovery service
8444	HTTPS tomcat running idp

Local

Managed by sysops.

Iptable configuration:

# Generated by iptables-save v1.4.21 on Mon Apr  3 09:46:42 2017
*nat
:PREROUTING ACCEPT [817555:52862503]
:INPUT ACCEPT [3511:681602]
:OUTPUT ACCEPT [3037:216840]
:POSTROUTING ACCEPT [71166:4304532]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.42.0/24 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 172.17.42.3/32 -d 172.17.42.3/32 -p tcp -m tcp --dport 8443 -j MASQUERADE
-A POSTROUTING -s 172.17.42.2/32 -d 172.17.42.2/32 -p tcp -m tcp --dport 8080 -j MASQUERADE
-A POSTROUTING -s 172.17.42.3/32 -d 172.17.42.3/32 -p tcp -m tcp --dport 8443 -j MASQUERADE
-A POSTROUTING -s 172.17.42.3/32 -d 172.17.42.3/32 -p tcp -m tcp --dport 8443 -j MASQUERADE
-A POSTROUTING -s 172.17.42.4/32 -d 172.17.42.4/32 -p tcp -m tcp --dport 8080 -j MASQUERADE
-A POSTROUTING -s 172.17.42.3/32 -d 172.17.42.3/32 -p tcp -m tcp --dport 8080 -j MASQUERADE
-A POSTROUTING -s 172.17.42.4/32 -d 172.17.42.4/32 -p tcp -m tcp --dport 8443 -j MASQUERADE
-A POSTROUTING -s 172.17.42.4/32 -d 172.17.42.4/32 -p tcp -m tcp --dport 8443 -j MASQUERADE
-A POSTROUTING -s 172.17.42.2/32 -d 172.17.42.2/32 -p tcp -m tcp --dport 8443 -j MASQUERADE
-A POSTROUTING -s 172.17.42.2/32 -d 172.17.42.2/32 -p tcp -m tcp --dport 8443 -j MASQUERADE
-A POSTROUTING -s 172.17.42.2/32 -d 172.17.42.2/32 -p tcp -m tcp --dport 8443 -j MASQUERADE
-A POSTROUTING -s 172.17.42.5/32 -d 172.17.42.5/32 -p tcp -m tcp --dport 10000 -j MASQUERADE
-A POSTROUTING -s 172.17.42.5/32 -d 172.17.42.5/32 -p tcp -m tcp --dport 2443 -j MASQUERADE
-A DOCKER -d 172.17.42.1/32 ! -i docker0 -p tcp -m tcp --dport 8081 -j DNAT --to-destination 172.17.42.3:8080
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 8444 -j DNAT --to-destination 172.17.42.4:8443
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 8443 -j DNAT --to-destination 172.17.42.2:8443
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 10000 -j DNAT --to-destination 172.17.42.5:10000
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 172.17.42.5:2443
COMMIT
# Completed on Mon Apr  3 09:46:42 2017
# Generated by iptables-save v1.4.21 on Mon Apr  3 09:46:42 2017
*filter
:INPUT ACCEPT [119:10421]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [126:78492]
:DOCKER - [0:0]
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER -s 37.97.184.230/32 -p tcp -m tcp --dport 10000 -j ACCEPT
-A DOCKER -s 37.97.154.156/32 -p tcp -m tcp --dport 10000 -j ACCEPT
-A DOCKER -s 192.87.79.165/32 -p tcp -m tcp --dport 10000 -j ACCEPT
-A DOCKER -p tcp -s 0.0.0.0/0 --dport 10000 -j DROP
-A DOCKER -d 172.17.42.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8443 -j ACCEPT
-A DOCKER -d 172.17.42.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8080 -j ACCEPT
-A DOCKER -d 172.17.42.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8443 -j ACCEPT
-A DOCKER -d 172.17.42.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8443 -j ACCEPT
-A DOCKER -d 172.17.42.4/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8080 -j ACCEPT
-A DOCKER -d 172.17.42.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8080 -j ACCEPT
-A DOCKER -d 172.17.42.4/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8443 -j ACCEPT
-A DOCKER -d 172.17.42.4/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8443 -j ACCEPT
-A DOCKER -d 172.17.42.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8443 -j ACCEPT
-A DOCKER -d 172.17.42.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8443 -j ACCEPT
-A DOCKER -d 172.17.42.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8443 -j ACCEPT
-A DOCKER -d 172.17.42.5/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 10000 -j ACCEPT
-A DOCKER -d 172.17.42.5/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 2443 -j ACCEPT
COMMIT
# Completed on Mon Apr  3 09:46:42 2017

Note that docker uses it's own DOCKER chain, this is where we add block or allow rules for specific container ports.

Load iptable rules:

iptables-restore < iptables.new

Virtual Hosts

None

Services

Configuration

server-idp1-clarin

Crontab

Location: /etc/crontab

*/15 * * * * root sh /root/deploy-aai-md-conversion-new.sh

Download in other formats:

Plain Text