vCloud Director cell firewall management

At present time, 2013-04-30, the Red Hat Enterprise Linux operating system (64 bit version of 5.4, 5.5, 5.6, 5.8, 6.1, 6.2 and 6.3) is the only one officially supported by VMware for vCloud Director (vCD) 5.1.2. Please see the vCD 5.1.2 release notes found here regarding the Red Hat Enterprise Linux 6.3 support since the the most recent version of the “vCloud Director Installation and Upgrade Guide”, which can be found here, does not include that information.

Default behavior in Red Hat Enterprise Linux is to turn on its iptables firewall and only allow connections on a very limited number of ports. The open ports does not include the ports, 80 (used for redirection to port 443) and 443, required by vCD.

Depending on the customer requirement and logical placement of the vCD cell you need to either open the required port/ports or turn off the iptables firewall. Port 80 can be closed if the vCD cell is placed on an internet facing, e.g. DMZ, network.

Open iptables ports required by vCD

This section applies to Red Hat Enterprise Linux 6.x and the script has recently been used for Red Hat Enterprise Linux 6.3.

When open the port/ports required for vCD it is important that the iptables configuration is added before the last iptables INPUT section configuration line:
-A INPUT -j REJECT –reject-with icmp-host-prohibited
You can either edit the iptables configuration file manually, and you’ll find the file in the directory /etc/sysconfig, or run a script. I usually run a script to avoid typos.

You can use the below script, just create a file “vi file” on the vCD cell, copy the green text into the file, make the file executable “chmod 755 file” and run the file “./file

# Open RedHat Firewall to allow connections to port 80 and 443
# Version 1.0 by Magnus Andersson
# Create a copy of the original iptables file
orgfile=iptables-org-$(date +%Y%m%d)
cp /etc/sysconfig/iptables /etc/sysconfig/$orgfile
# Add the vCloud Director required iptables configuration
iptables -D INPUT -j REJECT –reject-with icmp-host-prohibited
iptables -A INPUT -m state –state NEW -m tcp -p tcp –dport 443 -j ACCEPT
iptables -A INPUT -m state –state NEW -m tcp -p tcp –dport 80 -j ACCEPT
iptables -A INPUT -j REJECT –reject-with icmp-host-prohibited
# save the iptables configuration
/etc/init.d/iptables save
# Restart iptables
/etc/init.d/iptables restart
when copy the above text make sure you get 2 minus signs before “reject-with” and before “state NEW”
Delete the row including port 80 or comment the line by using the # sign in the beginning of the line if you do not want to open port 80.
Verify that the port/ports configuration were added before the line “-A INPUT -j REJECT –reject-with icmp-host-prohibited” by running the below command:
cat /etc/sysconfig/iptables

Output should be similar to:
-A INPUT -p tcp -m state –state NEW -m tcp –dport 443 -j ACCEPT
-A INPUT -p tcp -m state –state NEW -m tcp –dport 80 -j ACCEPT
-A INPUT -j REJECT –reject-with icmp-host-prohibited
-A FORWARD -j REJECT –reject-with icmp-host-prohibited
# Completed on Thu Apr 18 11:39:14 2013

If you are running Red Hat Enterprise Linux version 5.x (tested on 5.6) you need to change the “INPUT” statement to “RH-Firewall-1-INPUT” for all the lines including the “INPUT” statement in the script.

Turn off iptables

Run the below command to turn off iptables:
/etc/init.d/iptables stop

Run the below command to make sure iptables is not started when restarting the operating system:
chkconfig iptables off 123456

Verify that iptables won’t start next time you restart the ioperating system:
chkconfig –list iptables
Output should be:
iptables        0:off   1:off   2:off   3:off   4:off   5:off   6:off