Quantcast

locking down cluster with iptables

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

locking down cluster with iptables

Bruce Lysik
Hi,

I'm trying to setup iptables to lockdown my ES cluster to only speak to itself, my kibana frontend, and the logstash indexers.  I'm having a difficult time figuring out what ports I need to leave open.  There are plenty of references to ports 9200-9300.  However, with netstat I see plenty of inter-cluster communication on ports in the 30000 to high 50000s. 

Can someone clarify what ports are necessary to open up, if I'm starting with a default of dropping all incoming, and allowing outgoing.

Thanks!s

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
For more options, visit https://groups.google.com/groups/opt_out.
 
 
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: locking down cluster with iptables

joergprante@gmail.com
It does not make much sense to run iptable filters inside of a cluster.

You should set up a private network and hide Elasticsearch nodes behind
reverse proxy at HTTP port 80 or 443 so there won't be a need to think
about internal ports.

In the stock ES, there are two port ranges, 9200-9299 (http) and
9300-9399 (cluster node transport). With plugins there may be more IP
ranges. The ports at 30000-60000 are randomly allocated by your
operating system, these are at the client side of the connections. Note,
as ports may be rearranged in the config, you can also use other port
ranges.

Jörg

Am 17.02.13 16:28, schrieb Bruce Lysik:

> Hi,
>
> I'm trying to setup iptables to lockdown my ES cluster to only speak
> to itself, my kibana frontend, and the logstash indexers.  I'm having
> a difficult time figuring out what ports I need to leave open.  There
> are plenty of references to ports 9200-9300.  However, with netstat I
> see plenty of inter-cluster communication on ports in the 30000 to
> high 50000s.
>
> Can someone clarify what ports are necessary to open up, if I'm
> starting with a default of dropping all incoming, and allowing outgoing.
>
> Thanks!s
> --
> You received this message because you are subscribed to the Google
> Groups "elasticsearch" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to [hidden email].
> For more options, visit https://groups.google.com/groups/opt_out.
>
>

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
For more options, visit https://groups.google.com/groups/opt_out.


Loading...