RightScale RightScript To Update CentOS iptables Rules On RackSpace Node
Recently while working on some node or instance automation using RightScale I needed to have some extra iptables rules created automatically when a new node booted. Initially I was just trying to do this via iptables commands which I note below but it would never work. After digging through the logs I realized that the iptables commands created by RightScale for the ServerTemplate I was using flushed iptables at the very end of the boot process and thus wiped out the iptables entries created by the RightScript I had created. To accomplish permanent iptables entries for a RackSpace node via RightScale you need to output the iptables command to a file in the location where the boot process picks them up after flushing the current ruleset. Below I describe my first attempt followed by the correct way to have iptables entries picked up by RightScale.
First RightScript Attempt At Creating iptables Rules On Rackspace CentOS Nodes:
iptables -A INPUT -p tcp --dport 4001 -j ACCEPT iptables -A INPUT -p tcp --dport 4011 -j ACCEPT iptables -A INPUT -p tcp --dport 4021 -j ACCEPT iptables-save
I tried a bunch of different variations of the above script such as including “#!/bin/bash”, outputting to a file to run commands similar to the above, using the full path for the iptables command, and many others. None of these attempts were successful so I then analyzed how RightScale did it for its own iptables inputs and realized that if I output the rules to files in the same format as RightScale did to the /etc/iptables.d directory I would be able to have the rules picked up by the RightScale iptables flush process on RackSpace nodes. Below is an example of such a script to add more iptables rules for RackSpace CentOS Linux instances managed via RightScale.
Add More iptables Rules To RackSpace Linux Node Managed By RightScale:
# add port 4001 to iptables rules cat <<"EOF" >/etc/iptables.d/port_4001_any_tcp # Opens 4001 port to all -A FWR --protocol tcp --dport 4001 -j ACCEPT EOF # add port 4011 to iptables rules cat <<"EOF" >/etc/iptables.d/port_4011_any_tcp # Opens 4011 port to all -A FWR --protocol tcp --dport 4011 -j ACCEPT EOF # add port 4021 to iptables rules cat <<"EOF" >/etc/iptables.d/port_4021_any_tcp # Opens 4021 port to all -A FWR --protocol tcp --dport 4021 -j ACCEPT EOF iptables-save
As you can see in the script above the concept is to generate a file in the /etc/iptables.d directory, such as port_4011_any_tcp, for each iptables rule that you want enabled when the RackSpace CentOS Linux instance comes online. The concept would be similar for other Linux distributions across multiple cloud solution providers managed by RightScale but you will have to verify the file locations and/or specific iptables commands to make sure things are similar.
All you really have to do is create a RightScript with contents similar to the above and add it to the boot process of a node for these iptables rules to be enabled automatically. There are other commands and code that can be inserted around the iptables commands to make sure that the code only runs on boot and not on reboot, etc.