Compute Nodes in an HPC environment are usually physically isolated from the public network and has to route through the gateway which are often found in Head Node or any delegated Node in small or small-medium size cluster to access the internet or to access company LAN to access LDAP, you can use the firewall-cmd to route the traffic through the interconnect facing the internet.
Traffic will be routed through the Head Node’s eno1 (internet facing) from the Head Node’s eno2 (private network). The interconnect eno1 is attached to a switch where the compute nodes are similarly attached. Some
- 192.168.1.0/24 is the private network subnet.
- 192.168.1.1 is the IP Address of the Head Node
- 188.8.131.52 is the IP Address of the external-facing ethernet ie eno1
Check the zones.
# firewall-cmd --list-all-zones
Check the Active Zones
# firewall-cmd --get-active-zones external interfaces: eno2 internal interfaces: eno1
Enable masquerade at the Head Node’s External Zone
IP masquerading is a process where one computer acts as an IP gateway for a network. For masquerading, the gateway dynamically looks up the IP of the outgoing interface all the time and replaces the source address in the packets with this address.
You use masquerading if the IP of the outgoing interface can change. A typical use case for masquerading is if a router replaces the private IP addresses, which are not routed on the internet, with the public dynamic IP address of the outgoing interface on the router.
For more information. Do take a look at 5.10. Configuring IP Address Masquerading
# firewall-cmd --zone=external --query-masquerade no # firewall-cmd --zone=external --add-masquerade --permanent # firewall-cmd --reload
Compute Nodes at the Private Network
(Assuming that eno1 is connected to the private switch). It is very important that you input the gateway at the compute node’s /etc/sysconfig/network-scripts/ifcfg-eno1)
..... ..... DEVICE=enp47s0f1 ONBOOT=yes IPADDR=192.168.1.2 #Internal IP Address of the Compute Node NETMASK=255.255.255.0 GATEWAY=192.168.1.1 #Internal IP Address of the Head Node
Configure the Head Node’s External Zone.
There are three options –
DROP. By setting the target to
ACCEPT, you accept all incoming packets except those disabled by a specific rule. If you set the target to
DROP, you disable all incoming packets except those that you have allowed in specific rules. When packets are rejected, the source machine is informed about the rejection, while there is no information sent when the packets are dropped. 5.7.8. Using Zone Targets to Set Default Behavior for Incoming Traffic
# firewall-cmd --zone=external --set-target=default
You can configure other settings. For the External Zone. For example, add SSH Service, mDNS
# firewall-cmd --permanent --zone=external --add-service=ssh # firewall-cmd --permanent --zone=external --add-service=mdns # firewall-cmd --runtime-to-permanent # firewall-cmd --reload
It is possible to define different sets of rules for different zones and then change the settings quickly by changing the zone for the interface that is being used. With multiple interfaces, a specific zone can be set for each of them to distinguish traffic that is coming through them. 51.6.4. Assigning a network interface to a zone
# firewall-cmd --zone=external --change-interface=eno2 --permanent
Configure the Head Node’s Internal Zone.
You can use the same firewall-cmd to configure the below configuration if you need the services.
# firewall-cmd --zone=trusted --list-all trusted (active) target: default icmp-block-inversion: no interfaces: ib1 enp6s0f3 sources: 192.168.0.0/16 services: dhcpv6-client ssh nfs mountd rpc-bind http https tftp ports: 15001-15007/tcp 15001-15007/udp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
Check the Firewall Status
systemctl status firewalld.service