Example of building firewall configuration for an elasticsearch cluster based on aquilon cluster membership

firewall.pan

template elasticsearch/firewall;

include 'components/iptables/config';
include 'components/chkconfig/config';


variable ELASTICSEARCH_NODE_LIST ?= error('ELASTICSEARCH_NODE_LIST not defined, this should have been populated before the firewall setup was included!');
variable ELASTICSEARCH_PORTS = list('9200', '9300');


prefix '/software/components/iptables/';

# Accept all inbound and outbound connections by default
'filter/preamble/input'   = 'ACCEPT [0:0]';
'filter/preamble/output'  = 'ACCEPT [0:0]';
'filter/preamble/forward' = 'DROP [0:0]';
'filter/epilogue' = 'COMMIT';

# Deny access to priviledged elasticsearch ports by default
'filter/rules' ?= list();
'filter/rules' = foreach(j; port; ELASTICSEARCH_PORTS) {
    append(dict(
        'command', '-A',
        'chain', 'input',
        'protocol', 'tcp',
        'dst_port', port,
        'target', 'REJECT',
    ));
};

# Allow connections from all nodes in our cluster (including thyself)
variable nodes = ELASTICSEARCH_NODE_LIST;
variable nodes = append('127.0.0.1');
'filter/rules' = foreach(i; node; nodes) {
    foreach(j; port; ELASTICSEARCH_PORTS) {
        result = append(dict(
            'command', '-A',
            'chain', 'input',
            'protocol', 'tcp',
            'dst_port', port,
            'src_addr', node,
            'target', 'ACCEPT',
        ));
    };
};

# Ensure iptables is started
prefix '/software/components/chkconfig/service/iptables/';
'on' = '';
'startstop' = true;

nodes.pan

template elasticsearch/nodes;

# Get nodes from cluster membership
variable ELASTICSEARCH_NODE_LIST = value('clusters/elasticsearch:/system/cluster/members');
variable ELASTICSEARCH_NODE_COUNT = length(ELASTICSEARCH_NODE_LIST);

include 'elasticsearch/firewall';