I know this is going to sound stupid at first, but please bear with me and I'll explain why I want to do this particular stupid-sounding thing.
We have a Beowulf cluster, currently running RH 8.0. We're about to do some major reconfiguration, including changing to RHEL4. The choice of distro is pretty much set in stone as it is approved and supported by a couple of commercial apps that we need to run, so please don't bother with any religious distro wars even if you would be so inclined otherwise.
Anyway, in preparation for the changeover, I expect that we will see some "anomalies" so I am setting up a 3-node test cluster just to make sure that I can have everything ready to run on the real cluster by the time we make the changes there and I can minimize downtime. I plan to keep this test cluster up for a couple of months and then wipe all of the boxes.
The real cluster is isolated from the rest of the world and only the head node is accessible, and that only by ssh, sftp, scp. That is, no other protocols are allowed to initiate incoming connections. Outgoing, the only additional protocols allowed are ntp and dns, and those only to our servers.
The test cluster is just 3 old boxes that I was able to scrounge from our spares/discards pile and put into a rack. They are all connected to the router in the rack. I was not able to isolate them like the real cluster. I want to make the test cluster appear to act as much like the real cluster as possible.
Now, we finally reach the stupid question part: Within the real cluster, users are allowed to use rsh/rlogin to other nodes and lots of software and scripts are set up to do that. In that cluster environment it's secure enough as the packets never escape from the rack into any larger network. In the test cluster, the "compute nodes" are visible, at least to the rest of the campus, though not to the internet at large. I'm still not planning to allow the users I'll be asking to test their apps to log in directly to the compute nodes, but the nodes are "visible". (The network segment that they are on is restricted to the secured computer room, for what that's worth.)
What I plan to do is add a suitable entry or entries to the iptables on the 3 nodes (head and 2 "compute" nodes) so that users can rsh between them. I have already edited hosts.deny to deny all access to everybody and hosts.allow to allow rsh/rlogin access to the other nodes. I have also edited /etc/hosts.equiv. Next, I need to poke a hole into the firewalls of all 3 nodes so that packets can actually reach the other nodes. For purposes of discussion, assume that the head node (of the test cluster) is 10.192.255.1 and the other two are 10.192.255.2 and 10.192.255.3.
I would expect a rule much like the rule that allows ssh to initiate connections. I plan to copy /etc/sysconfig/iptables to a test file, e.g., /etc/sysconfig/iptables.test and edit that so I can use iptables-restore < iptables.test
and then eventually use iptables-save
to keep what I want. The current /etc/sysconfig/iptables contains the line:
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
so I think
that the following should be appropriate
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 10.192.255.2 --dport 513 -j ACCEPT
with corresponding rules for the other two potential source nodes. The relevant port appears to be 513, or at least that's what appears in netstat when I make an rsh connection. I'd rather not use a netmasked source because there are other boxes on 10.192.255.*, even though they are all windows boxes in a secured computer room. Thinking about it, I suppose the risk of using "-s 10.192.255.0/24" may not be too great. What do you all think about that?
I know it's too late to make this long story short, but at last we've reached the end: 1) Is this really a suitable solution?, 2) Is my proposed rule correct? and 3) How stupid is it really? Am I paranoid enough?