HOWTO: CentOS 7/Redhat 7 Firewalld Setup for Cassandra Server

How to do initial firewalld configuration for Cassandra Server and Opscenter on CentOS/Redhat 7 with 2 network interfaces, in my case Dell 1950/2950.

First: verify that your network interfaces are associated with a NetworkManager zone:

# grep -i zone /etc/sysconfig/network-scripts/ifcfg-*
/etc/sysconfig/network-scripts/ifcfg-enp4s0:ZONE=internal
/etc/sysconfig/network-scripts/ifcfg-enp8s0:ZONE=public
# service network restart

Second: add the Cassandra ports to the internal zone (private interface) and public zone (public interface):

#!/bin/bash

# add ports on internal interface for Cassandra server

firewall-cmd --zone=internal --add-port=7000/tcp --add-port=7199/tcp --add-port=9042/tcp --add-port=9160/tcp --add-port=61619-61621/tcp --permanent

# add ports on public interface for Cassandra server

firewall-cmd --zone=public --add-port=80/tcp --add-port=8888/tcp --permanent

firewall-cmd --reload

Edit the files in /etc/firewalld/zones to remove the desktop helper services, then do

service firewalld restart

3. Verify configuration:

firewall-cmd --get-active-zones
firewall-cmd --zone=public --list-ports
firewall-cmd --zone=public --list-services
firewall-cmd --zone=internal --list-ports
firewall-cmd --zone=internal --list-services

Output is:

# firewall-cmd --get-active-zones
internal
interfaces: enp4s0
public
interfaces: enp8s0

# firewall-cmd --zone=internal --list-ports
7000/tcp 7199/tcp 9042/tcp 9160/tcp 61619-61621/tcp

# firewall-cmd --zone=internal --list-services
ssh

# firewall-cmd --zone=public --list-ports
80/tcp 8888/tcp

# firewall-cmd --zone=public --list-services
ssh

4. Verify firewall rules with nmap:

# nmap -sS my.external.interface.com

Starting Nmap 5.51 ( http://nmap.org ) at 2015-10-15 22:34 PDT
Nmap scan report for my.external.interface.com
Host is up (0.075s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
8888/tcp open opscenter

Nice! 🙂

Troubleshooting

As always, if you experience network issues on linux, disable selinux, firewalld and TCP wrappers first and verify if those are the source of the problem:

setenforce 0
service firewalld stop
cat /etc/hosts.*

To boot into singleuser mode, replace the linux grub line “ro” item with “rw init=/sysroot/bin/sh”.

Fedora introduces Network Zones
fedoraproject.org: Network Zones

This entry was posted in Cassandra, Linux, Open Source, Storage, Tech. Bookmark the permalink.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.