Linux IPTABLES firewall hadoop cluster example

firewall.sh

# Simple example of firewall for hadoop cluster (on public network) with IPTABLES
# run the script with sudo

# Example : 

# master : 10.0.0.1 (public IP)
# slave1 : 10.0.0.2 (public IP)
# slave2 : 10.0.0.3 (public IP)
# company : 5.0.0.1 (public IP)


# Clean all tables

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

# Default rules

# reject all connections from other machines to this machine
iptables -P INPUT DROP
# accept all connections from this machine to other machines
iptables -P OUTPUT ACCEPT
# reject all forward connections 
iptables -P FORWARD DROP

# With the 3 rules before, if we try to send a request to an other machine, the request will be sent (it's OUTPUT)
# but the response will be blocked (it's INPUT).
# To solve this problem, we allow INPUT connexion with the state ESTABLISHED.

# Allow connection established by the server 

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow local connection

iptables -I INPUT -i lo -j ACCEPT
iptables -A INPUT -s 127.0.0.1 -j ACCEPT

# Allow a list of IP for INPUT

iptables -A INPUT -s 10.0.0.1 -j ACCEPT
iptables -A INPUT -s 10.0.0.2 -j ACCEPT
iptables -A INPUT -s 10.0.0.3 -j ACCEPT
iptables -A INPUT -s 5.0.0.1 -j ACCEPT

# Allow one service (all IP)
# Allow port 80
# iptables -A INPUT -p tcp --dport 80 -j ACCEPT

# Log input requests 
# iptables -A INPUT -j LOG --log-prefix='[iptables] '

# If you want an important level of security, disabled the rule "iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT" and allow 
# only a restricted list of IP. Maybe you have to add DNS, NTP and other services used by hadoop servers