Howdy, all. I'm looking for info on setting up firewall rules on the VCSA 6.0 that we upgraded from 5.5. We had our own firewall rules set on the 5.5 appliance per this kb article:
VMware KB: Updating the vCenter Server Appliance (vCSA) firewall rules to DISA STIG compliance
Those rules allowed all traffic from our subnets and dropped everything else. I'd like to use the new web interface to add the same rules, but the documentation is a little thin. If I add our subnets, does that automatically block anything not explicitly listed?
Thanks.
I had forgotten I posted this last year. Here is what we did to get ours working with our own firewall rules, which essentially drops anything not in our subnets or local interface. The usual caveats apply about me not being responsible for your stuff, your mileage varying, etc. I would recommend making a snapshot of your vcenter vm first.
To modify iptables rules:
ssh into vcenter
at command line:
1. iptables-save
2. iptables-save >/etc/iptables.rules.default
3. copy that to a new file (eg, /etc/iptables.rules.2017)
4. replace the -A INPUT lines with your own subnets
Note - either edit with vi, or use text editor that does not add Windows control characters if you move the file to a Windows computer to edit |
5. run this command to load the file with your rules
. iptables-restore < /etc/iptables.rules.2017
6. List the current rules to verify your changes took effect
iptables -nL
This will probably change back to the default firewall rules after a reboot. I've seen references to adding the iptables-restore line to the after.local file, but I haven't tested that yet.
I had forgotten I posted this last year. Here is what we did to get ours working with our own firewall rules, which essentially drops anything not in our subnets or local interface. The usual caveats apply about me not being responsible for your stuff, your mileage varying, etc. I would recommend making a snapshot of your vcenter vm first.
To modify iptables rules:
ssh into vcenter
at command line:
1. iptables-save
2. iptables-save >/etc/iptables.rules.default
3. copy that to a new file (eg, /etc/iptables.rules.2017)
4. replace the -A INPUT lines with your own subnets
Note - either edit with vi, or use text editor that does not add Windows control characters if you move the file to a Windows computer to edit |
5. run this command to load the file with your rules
. iptables-restore < /etc/iptables.rules.2017
6. List the current rules to verify your changes took effect
iptables -nL
This will probably change back to the default firewall rules after a reboot. I've seen references to adding the iptables-restore line to the after.local file, but I haven't tested that yet.