On Linux systems, you can configure and enable the iptables firewall to work with Greenplum Database.

Note

Greenplum Database performance might be impacted when iptables is enabled. You should test the performance of your application with iptables enabled to ensure that performance is acceptable.

For more information about iptables see the iptables and firewall documentation for your operating system. See also Deactivating SELinux and Firewall Software.

How to Enable iptables

  1. As gpadmin, run this command on the Greenplum Database master host to stop Greenplum Database:

    1. $ gpstop -a
  2. On the Greenplum Database hosts:

    1. Update the file /etc/sysconfig/iptables based on the Example iptables Rules.

    2. As root user, run these commands to enable iptables:

      1. # chkconfig iptables on
      2. # service iptables start
  3. As gpadmin, run this command on the Greenplum Database master host to start Greenplum Database:

    1. $ gpstart -a

Warning: After enabling iptables, this error in the /var/log/messages file indicates that the setting for the iptables table is too low and needs to be increased.

  1. ip_conntrack: table full, dropping packet.

As root, run this command to view the iptables table value:

  1. # sysctl net.ipv4.netfilter.ip_conntrack_max

To ensure that the Greenplum Database workload does not overflow the iptables table, as root, set it to the following value:

  1. # sysctl net.ipv4.netfilter.ip_conntrack_max=6553600

The value might need to be adjusted for your hosts. To maintain the value after reboot, you can update the /etc/sysctl.conf file as discussed in Setting the Greenplum Recommended OS Parameters.

Parent topic: Installing and Upgrading Greenplum

Example iptables Rules

When iptables is enabled, iptables manages the IP communication on the host system based on configuration settings (rules). The example rules are used to configure iptables for Greenplum Database master host, standby master host, and segment hosts.

The two sets of rules account for the different types of communication Greenplum Database expects on the master (primary and standby) and segment hosts. The rules should be added to the /etc/sysconfig/iptables file of the Greenplum Database hosts. For Greenplum Database, iptables rules should allow the following communication:

  • For customer facing communication with the Greenplum Database master, allow at least postgres and 28080 (eth1 interface in the example).

  • For Greenplum Database system interconnect, allow communication using tcp, udp, and icmp protocols (eth4 and eth5 interfaces in the example).

    The network interfaces that you specify in the iptables settings are the interfaces for the Greenplum Database hosts that you list in the hostfile_gpinitsystem file. You specify the file when you run the gpinitsystem command to initialize a Greenplum Database system. See Initializing a Greenplum Database System for information about the hostfile_gpinitsystem file and the gpinitsystem command.

  • For the administration network on a Greenplum DCA, allow communication using ssh, ntp, and icmp protocols. (eth0 interface in the example).

In the iptables file, each append rule command (lines starting with -A) is a single line.

The example rules should be adjusted for your configuration. For example:

  • The append command, the -A lines and connection parameter -i should match the connectors for your hosts.
  • the CIDR network mask information for the source parameter -s should match the IP addresses for your network.

Example Master and Standby Master iptables Rules

Example iptables rules with comments for the /etc/sysconfig/iptables file on the Greenplum Database master host and standby master host.

  1. *filter
  2. # Following 3 are default rules. If the packet passes through
  3. # the rule set it gets these rule.
  4. # Drop all inbound packets by default.
  5. # Drop all forwarded (routed) packets.
  6. # Let anything outbound go through.
  7. :INPUT DROP [0:0]
  8. :FORWARD DROP [0:0]
  9. :OUTPUT ACCEPT [0:0]
  10. # Accept anything on the loopback interface.
  11. -A INPUT -i lo -j ACCEPT
  12. # If a connection has already been established allow the
  13. # remote host packets for the connection to pass through.
  14. -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  15. # These rules let all tcp and udp through on the standard
  16. # interconnect IP addresses and on the interconnect interfaces.
  17. # NOTE: gpsyncmaster uses random tcp ports in the range 1025 to 65535
  18. # and Greenplum Database uses random udp ports in the range 1025 to 65535.
  19. -A INPUT -i eth4 -p udp -s 192.0.2.0/22 -j ACCEPT
  20. -A INPUT -i eth5 -p udp -s 198.51.100.0/22 -j ACCEPT
  21. -A INPUT -i eth4 -p tcp -s 192.0.2.0/22 -j ACCEPT --syn -m state --state NEW
  22. -A INPUT -i eth5 -p tcp -s 198.51.100.0/22 -j ACCEPT --syn -m state --state NEW
  23. \# Allow udp/tcp ntp connections on the admin network on Greenplum DCA.
  24. -A INPUT -i eth0 -p udp --dport ntp -s 203.0.113.0/21 -j ACCEPT
  25. -A INPUT -i eth0 -p tcp --dport ntp -s 203.0.113.0/21 -j ACCEPT --syn -m state --state NEW
  26. # Allow ssh on all networks (This rule can be more strict).
  27. -A INPUT -p tcp --dport ssh -j ACCEPT --syn -m state --state NEW
  28. # Allow Greenplum Database on all networks.
  29. -A INPUT -p tcp --dport postgres -j ACCEPT --syn -m state --state NEW
  30. # Allow Greenplum Command Center on the customer facing network.
  31. -A INPUT -i eth1 -p tcp --dport 28080 -j ACCEPT --syn -m state --state NEW
  32. # Allow ping and any other icmp traffic on the interconnect networks.
  33. -A INPUT -i eth4 -p icmp -s 192.0.2.0/22 -j ACCEPT
  34. -A INPUT -i eth5 -p icmp -s 198.51.100.0/22 -j ACCEPT
  35. \# Allow ping only on the admin network on Greenplum DCA.
  36. -A INPUT -i eth0 -p icmp --icmp-type echo-request -s 203.0.113.0/21 -j ACCEPT
  37. # Log an error if a packet passes through the rules to the default
  38. # INPUT rule (a DROP).
  39. -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
  40. COMMIT

Example Segment Host iptables Rules

Example iptables rules for the /etc/sysconfig/iptables file on the Greenplum Database segment hosts. The rules for segment hosts are similar to the master rules with fewer interfaces and fewer udp and tcp services.

  1. *filter
  2. :INPUT DROP
  3. :FORWARD DROP
  4. :OUTPUT ACCEPT
  5. -A INPUT -i lo -j ACCEPT
  6. -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  7. -A INPUT -i eth2 -p udp -s 192.0.2.0/22 -j ACCEPT
  8. -A INPUT -i eth3 -p udp -s 198.51.100.0/22 -j ACCEPT
  9. -A INPUT -i eth2 -p tcp -s 192.0.2.0/22 -j ACCEPT --syn -m state --state NEW
  10. -A INPUT -i eth3 -p tcp -s 198.51.100.0/22 -j ACCEPT --syn -m state --state NEW
  11. -A INPUT -p tcp --dport ssh -j ACCEPT --syn -m state --state NEW
  12. -A INPUT -i eth2 -p icmp -s 192.0.2.0/22 -j ACCEPT
  13. -A INPUT -i eth3 -p icmp -s 198.51.100.0/22 -j ACCEPT
  14. -A INPUT -i eth0 -p icmp --icmp-type echo-request -s 203.0.113.0/21 -j ACCEPT
  15. -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
  16. COMMIT