VMware Cloud Community
zenking
Hot Shot
Hot Shot
‎04-18-2016 06:23 AM
Jump to solution

VCSA 6.0 Firewall

Howdy, all. I'm looking for info on setting up firewall rules on the VCSA 6.0 that we upgraded from 5.5. We had our own firewall rules set on the 5.5 appliance per this kb article:

VMware KB: Updating the vCenter Server Appliance (vCSA) firewall rules to DISA STIG compliance

Those rules allowed all traffic from our subnets and dropped everything else. I'd like to use the new web interface to add the same rules, but the documentation is a little thin. If I add our subnets, does that automatically block anything not explicitly listed?

Thanks.

VMWare Environment: vSphere 7.0, EQ PS6210 SANs, Dell R730 Hosts, dedicated Dell switches w/ separate vlans for vmotion and iscsi.
Tags (2)
0 Kudos
1 Solution

Accepted Solutions
zenking
Hot Shot
Hot Shot
‎03-14-2017 12:12 PM
Jump to solution

I had forgotten I posted this last year. Here is what we did to get ours working with our own firewall rules, which essentially drops anything not in our subnets or local interface. The usual caveats apply about me not being responsible for your stuff, your mileage varying, etc. I would recommend making a snapshot of your vcenter vm first.

To modify iptables rules:

ssh into vcenter

at command line:

1.  iptables-save

2.  iptables-save >/etc/iptables.rules.default

3. copy that to a new file (eg,  /etc/iptables.rules.2017)

4. replace the -A INPUT lines with your own subnets

Note - either edit with vi, or use text editor that does not add Windows control characters if you move the file to a Windows computer to edit

5. run this command to load the file with your rules

.  iptables-restore < /etc/iptables.rules.2017

6.  List the current rules to verify your changes took effect

    iptables -nL

This will probably change back to the default firewall rules after a reboot. I've seen references to adding the iptables-restore line to the after.local file, but I haven't tested that yet.

VMWare Environment: vSphere 7.0, EQ PS6210 SANs, Dell R730 Hosts, dedicated Dell switches w/ separate vlans for vmotion and iscsi.

View solution in original post

0 Kudos
1 Reply
zenking
Hot Shot
Hot Shot
‎03-14-2017 12:12 PM
Jump to solution

I had forgotten I posted this last year. Here is what we did to get ours working with our own firewall rules, which essentially drops anything not in our subnets or local interface. The usual caveats apply about me not being responsible for your stuff, your mileage varying, etc. I would recommend making a snapshot of your vcenter vm first.

To modify iptables rules:

ssh into vcenter

at command line:

1.  iptables-save

2.  iptables-save >/etc/iptables.rules.default

3. copy that to a new file (eg,  /etc/iptables.rules.2017)

4. replace the -A INPUT lines with your own subnets

Note - either edit with vi, or use text editor that does not add Windows control characters if you move the file to a Windows computer to edit

5. run this command to load the file with your rules

.  iptables-restore < /etc/iptables.rules.2017

6.  List the current rules to verify your changes took effect

    iptables -nL

This will probably change back to the default firewall rules after a reboot. I've seen references to adding the iptables-restore line to the after.local file, but I haven't tested that yet.

VMWare Environment: vSphere 7.0, EQ PS6210 SANs, Dell R730 Hosts, dedicated Dell switches w/ separate vlans for vmotion and iscsi.
0 Kudos