Note: This document is based on Jelastic version 5.4Jelastic Container Firewall feature provides a possibility to control your nodes availability both from inside and outside of the Platform. It analyze such parameters as incoming request source, protocol, target node port, etc to flexibly manage access to your containers through setting the required connection rules.
Container Firewall Management
Container Firewall Management via Jelastic UI
Here, the following tabs are available:
- Overview - provides general information on the feature, allows to change Firewall State (which is enabled for all containers by default) and shows Isolated Env Groups the current environment is included to
- Inbound Rules - allows to manage incoming requests (not listed ones will be denied by default)
- Outbound Rules - allows to control outgoing connections (not listed ones will be allowed by default)
Default Firewall RulesJelastic automatically fills the Inbound and Outbound Rules sections with a number of records, required for the proper container operability.
Here, rules are grouped by layers and are marked with the following color labels:
- gray for the default non-editable records (i.e. the obligatory ones)
- white for other default (stack-related) and user-added (either by an environment owner or his collaborators) rulesNote: Apply changes to the default rules only in the case you know exactly what you are doing, since these records are required to ensure stack specific functionality and to provide particular features support (e.g. to allow SSH, HTTP, HTTPS or FTP connections).
Rules ManagementIn order to manage existing and provide new rules to firewall, the tools panel above the list contains a set of buttons for a convenient firewall rules management, namely: Add, Edit, Remove, Disable (Enable) and Refresh.
When adding a new firewall rule, the following parameters should be defined:
- Nodes - to select the required environment layer
- Name - to provide name for this record (can be expanded to select from a number of commonly used rules)
- Protocol - to set the required protocol type (TCP, UDP or TCP/UDP)
- Port Range - to define a particular port (e.g. 80) or their range (e.g. 1024-2048) to be opened/closed for connection; leave this field blank to apply the rule to all ports
- Source - to select the request source:
- Custom IP Address(es) - a comma-separated list of IPv4/IPv6 addresses and CIDR blocks (e.g. 10.0.0.1,10.0.0.0/24)
- predefined ranges - All, All IPv4, All IPv6, Local Network, Internet (Public Access)
- Environment Nodes - node type (layer) from any environment on an account (after appliance this rule will be automatically adjusted upon the appropriate layer scaling)
- Priority - to set a rule priority (where rules with lower value will be applied first)
- Action - to define the required action upon receiving the matching request (either allow or deny)
Subsequently, if meeting the necessity to Edit any of predefined rules, you’ll be able to adjust all of the above-described parameters except of the Nodes field (i.e. target layer can not be switched). Also, with testing purposes, you can temporarily exclude some firewall records and reapply them later on with the appropriate Disable/Enable buttons. After some adjustment (for example, topology change), you may need to update the list of rules with the Refresh button.
Firewall Use Cases
Note: Before following this guide, ensure that the appropriate container is provided with a Public IP address.
Restrict Access via User Interface
Jelastic provides a powerful GUI for the firewall management directly in the dashboard.1. Click the Settings button next to the appropriate environment and switch to the Firewall section within the opened tab.
2. In the opened Add Inbound Rules form, you can configure a new rule.
Here, select the Inbound Rules subtab and click on the Add button.
In order to deny connection from a particular IP, fill in the fields as follows:
- Nodes - chose a container to restrict access to (tomcat in our case)
- Name - input any desired rule name (e.g. my-rule)
- Protocol - select a required protocol (TCP)
- Port Range - deny access to all ports by leaving this field blank
- Source - choose the Custom IP Address(es) option and type the necessary IP in the appeared IP Address Range field (184.108.40.206)
- Priority - set the appropriate priority for this record (e.g. 900 to be applied before the default rules)
Action - select the Deny option
Click Add to save and automatically apply your rule.3. Now, when connecting to your node from the specified 220.127.116.11 IP address, the following page will be displayed for user:
This way you can deny access to your containers from any IP address.
Restrict Access via SSH
You can configure firewall rules for your container via terminal, while connected to node through Jelastic SSH Gate.
1. The simplest way to access node via SSH is to call the appropriate Web SSH feature directly from the Jelastic dashboard. Just click the same-named button next to the required node. Once connected, check the /etc/jelastic/metainf.conf file to ensure that container firewall is turned on:
2. Next, you need to modify the /etc/sysconfig/iptables-custom file (e.g. with a vim editor):
Here, the FIREWALL_ENABLED parameter should be equal to “1”. If not, contact your hosting provider and request enabling of firewall protection for your account.
3. Declare the required firewall rules using the iptables-save tool format. For example, use the following code to deny access from a particular IP (e.g. 18.104.22.168):
4. Use the next command to apply your custom firewall settings to the list of container default rules:
5. You can check the list of current firewall rules for your container by executing the following command:
As you can see, now access to your node from the 22.214.171.124 IP address is denied.
Setting Rules by Jelastic APIIn some cases (e.g. for custom scripts, automatization, etc.), you may need to configure firewall rules through the code. To do this, you can use the appropriate methods from the environment > Security section in the Jelastic API documentation:
- AddRule - creates a new rule
- AddRules - adds several rules
- EditRule - changes parameters of an existing rule
- GetRules - shows a list of rules for the environment
- RemoveRule - deletes a rule
- RemoveRules - removes several rules
- SetFirewallEnabled - switches on firewall
- SetRuleEnabled - enables existing rule
SetRules - replaces existing rules
As you see, the Сontainer Firewall feature allows you to effectively manage the availability of nodes on your account and to significantly increase applications security by managing desired and undesired connections.