To enable the mongod
processes in the replica set to communicate with each other, the MongoDB port (TCP 27017) must be opened in the firewall on each of the CAS servers (casdev-srv01, casdev-srv02, and casdev-srv03).
Create a firewalld
service configuration
First, create a firewalld
service configuration file on the master build server (casdev-master) called /etc/firewalld/services/mongod.xml
with the following contents:
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>mongod</short>
<description>MongoDB default port for mongod and mongos instances.</description>
<port protocol="tcp" port="27017"/>
</service>
to define the service, and then run the commands
casdev-master# restorecon /etc/firewalld/services/mongod.xml
casdev-master# chmod 640 /etc/firewalld/services/mongod.xml
casdev-master# firewall-cmd --reload
success
casdev-master#
to assign the correct SELinux context and file permissions to the mongod.xml
file and inform firewalld
of its existence. Then copy the new file to each of the CAS servers and inform their firewalld
processes of its existence by running the commands
casdev-master# for i in 01 02 03
> do
> scp -p /etc/firewalld/services/mongod.xml casdev-srv${i}:/etc/firewalld/services/mongod.xml
> ssh casdev-srv${i} firewall-cmd --reload
> done
mongod.xml 100% 205 309.3KB/s 00:00
success
mongod.xml 100% 205 320.6KB/s 00:00
success
mongod.xml 100% 205 333.8KB/s 00:00
success
casdev-master#
Configure the firewall
Because some of the information stored in MongoDB may be sensitive (e.g., passwords in configuration properties), we will only open the MongoDB port in the firewall to connections from the CAS servers and the master build server.
Create an ipset of source addresses
A firewalld
ipset is a named list of IP addresses that can be referenced in firewall rules. We will define an ipset called cas-servers
that contains the addresses of the master build server and the CAS servers, which can be used to create the firewall rule in the next section. Run the commands
# firewall-cmd --permanent --new-ipset=cas-servers --type=hash:net
success
# firewall-cmd --reload
success
# firewall-cmd --permanent --ipset=cas-servers --add-entry=192.168.100.100
success
# firewall-cmd --permanent --ipset=cas-servers --add-entry=192.168.100.101
success
# firewall-cmd --permanent --ipset=cas-servers --add-entry=192.168.100.102
success
# firewall-cmd --permanent --ipset=cas-servers --add-entry=192.168.100.103
success
# firewall-cmd --reload
success
#
on each of the three CAS servers (casdev-srv01, casdev-srv02. and casdev-srv03). It is not necessary to define the ipset on the master build server (casdev-master), since it will not be running mongod
.
Create a rich rule to enable access
In addition to command-line arguments that allow the creation of basic allow/deny rules, firewalld
supports a rich rule language for creating more complex rules. The rich language extends the basic set of elements (service, port, etc.) with additional elements, such as source and destination addresses, logging, actions and limits for logs and actions. We will use a rich rule to limit connections to the mongod
port to the IP addresses in the cas-servers
ipset defined above. Run the commands
# firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source ipset="cas-servers" service name="mongod" accept'
success
# firewall-cmd --reload
success
#
on each of the three CAS servers (casdev-srv01, casdev-srv02. and casdev-srv03). It is not necessary to install the rule on the master build server (casdev-master), since it will not be running mongod
.