A lot of our customers in Rackspace cloud has been asking how to mass edit firewalls of servers when you have multiple servers without doing it manually.
Part of my cloudservers-api-demo I have written a simple firewall scripts abstracting the Operating System firewall software to allow/enable/disable the firewall and ports/networks.
The script has been kept very simple by design and currently allow only to :
enable the firewall
disable the firewall
allow or disallow a port or a network
see firewall status
A management server under Ubuntu maverick.
A supported Operating System for clients which includes :
My patched python-cloudservers library (see below for installs).
Your SSH key installed on all VM for root users.
After you have kicked a VM with a Ubuntu maverick and connected to it as root you want first execute intall some prereq packages :
apt-get update && apt-get -y install python-stdeb git
checkout my python-cloudservers library :
git clone git://github.com/chmouel/python-cloudservers.git
after being checked-out you will go into the python-cloudservers directory which has just been created and do this :
cd python-cloudservers/ python setup.py install
this should automatically install all the dependences.
Now you can install my api-demo which include the firewall script :
cd ../ git clone git://github.com/chmouel/cloudservers-api-demo
You need to configure some environemnt variable first which keep information about your rackspace account.
edit your ~/.bashrc (or /etc/environement if you want to make it global) and configure those variable :
export RCLOUD_DATACENTER=UK export UK_RCLOUD_USER="MY_USERNAME" export UK_RCLOUD_KEY="MY_API_KEY" export UK_RCLOUD_AURL="https://lon.auth.api.rackspacecloud.com/v1.0"
or for the US you would have :
export RCLOUD_DATACENTER=US export UK_RCLOUD_USER="MY_USERNAME" export UK_RCLOUD_KEY="MY_API_KEY" export UK_RCLOUD_AURL="https://auth.api.rackspacecloud.com/v1.0"
source the ~/.bashrc or relog into your account to have those accounts set-up you can test it to see if that works by going to :
and launch the command :
to test if this is working properly (it should list your servers for your DATACENTER)
you are now basically ready to mass update firewall on all servers.
Let’s say you have two web servers named web1 and web2 and two db servers named db1 and db2 and you would like to allow the 80 port on the web servers and 3306 port on the db servers.
You would have to go to this directory :
and first execute this command to see the help/usages :
so let’s say to enable the firewall on all the web and db server first you can do :
./fw-control.py -s "web db" enable
it will connect and enable the firewall on all the servers which match the name web and db.
now let’s say we want to enable port 80 on the web :
./fw-control.py -s "web" allow port 80
if you log into the servers you can check with
iptables -L -n
that it it has been enabled properly.
This is simple enough for you to modify the script to your liking to make it more modular for your specific environement.