◦
Never let someone who does not have access rights to the controller 'look over your
shoulder' while accessing the UI.
◦
Make sure Keystone is configured to expire tokens after a short period of time (a common
industry practice is 20 minutes).
Do not delete any iptables with the name hazelcast, cassandra-default, or
cassadra-team, or any rules with the following ports: 5700, 7000, 7001, 7199, 9160.
Do not manually override the iptables rules to allow or deny ports 5700, 7000, 7001, 7199,
and 9160.
Example 1 "Rules created for a team of 3 controllers"
controllers (1.2.1.1, 1.2.1.2, 1.2.1.3) when running the sudo iptables -nL command:
Example 1 Rules created for a team of 3 controllers
# sudo iptables -nL
Chain INPUT (policy ACCEPT)
target
prot opt source
cassandra-team
all
cassandra-default
hazelcast
all
--
Chain FORWARD (policy ACCEPT)
target
prot opt source
Chain OUTPUT (policy ACCEPT)
target
prot opt source
cassandra-team
all
cassandra-default
hazelcast
all
--
Chain cassandra-default (2 references)
target
prot opt source
ACCEPT
tcp
--
ACCEPT
tcp
--
ACCEPT
tcp
--
DROP
tcp
--
DROP
tcp
--
DROP
tcp
--
DROP
tcp
--
Chain cassandra-team (2 references)
target
prot opt source
ACCEPT
tcp
--
ACCEPT
tcp
--
ACCEPT
tcp
--
ACCEPT
tcp
--
ACCEPT
tcp
--
Chain hazelcast (2 references)
target
prot opt source
ACCEPT
tcp
--
ACCEPT
tcp
--
ACCEPT
tcp
--
ACCEPT
tcp
--
DROP
tcp
--
--
0.0.0.0/0
all
--
0.0.0.0/0
0.0.0.0/0
--
0.0.0.0/0
all
--
0.0.0.0/0
0.0.0.0/0
127.0.0.1
127.0.0.1
127.0.0.1
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
1.2.1.2
1.2.1.3
1.2.1.3
1.2.1.2
1.2.1.1
1.2.1.3
1.2.1.3
1.2.1.1
1.2.1.3
1.2.1.3
1.2.1.2
1.2.1.3
1.2.1.3
1.2.1.2
1.2.1.1
1.2.1.3
1.2.1.3
1.2.1.1
0.0.0.0/0
0.0.0.0/0
displays the rules created for a team of 3
destination
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
destination
destination
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
destination
127.0.0.1
127.0.0.1
127.0.0.1
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
destination
tcp dpt:7001
tcp dpt:7001
tcp dpt:7001
tcp dpt:7001
tcp dpt:7001
destination
tcp dpt:5700
tcp dpt:5700
tcp dpt:5700
tcp dpt:5700
tcp dpt:5700
Security best practices 127
tcp dpt:7001
tcp dpt:9160
tcp dpt:7199
tcp dpt:7199
tcp dpt:9160
tcp dpt:7000
tcp dpt:7001