Open Source RDBMS - Seamless, Scalable, Stable and Free

한국어 | Login |Register

CUBRID Port and iptables (firewall) Configuration

This document describes how to configure the port and firewall information used by CUBRID, using a document based on Linux's iptables firewall settings.

The Architecture of CUBRID

CUBRID has a typical 3-tier structure in which applications, BROKERS, and databases are separated. The connection between CUBRID processes is formed when a BROKER establishes the initial connection at the request from an application, and then the master establishes a connection to the target database according to the provided connection information. To get more information see The Architecture of CUBRID.

CUBRID Port

CUBRID PORT is shared by Unix, Linux, and Windows, and consists of Master, Broker, and Manager.

Database process and port

In CUBRID, a database server (cub_server) operates as a single server process for each database. Because the master establishes a connection with the target database according to the information provided by the request from the application, the operator does not need to manually configure the database port.

[laisdb@newTest1 ~]$ ps -ef | grep cub_server ? Check the DB server processes for each demodb and cub_db.
laisdb   20165     1  0 11:25 ?        00:00:00 cub_server demodb
laisdb   21739     1  0 11:34 ?        00:00:00 cub_server cub_db
 
[laisdb@newTest1 ~]$ cub_commdb -O ? Check the DB server processes by a CUBRID command.
 Server cub_db (rel 8.2, pid 21739)
 Server demodb (rel 8.2, pid 20165)

Master process and port

The master process (cub_master) is a relay process that receives the request of a CUBRID client (cub_cas OR csql) and connects to the target database. The default port number used by the master process is 1523. To change the port, modify the value of cubrid_port_id=1523 in the $CUBRID/conf/cubrid.conf parameter.

[laisdb@newTest1 ~]$ ps -ef | grep cub_master ? Check the operating master process.
laisdb    20001     1  0 Feb03 ?        00:00:00 cub_master
 
[laisdb@newTest1 conf]$ netstat -an | grep 1523 ? Check the master port in use. 
tcp        0      0 0.0.0.0:1523                0.0.0.0:*                   LISTEN

Broker process and port

A broker is a middleware that allows a variety of applications to be connected to the database server. The CUBRID Broker consists of cub_broker and cub_cas. cub_broker relays the connection between an application client and cub_cas. When an application client requests access, the cub_broker checks the status of the cub_cas through the shared memory, and passes the request to an accessible cub-cas. The cub_cas then provides a connection to the database server.

To change the broker port, modify the value of $CUBRID/conf/cubrid_broker.conf Parameter BROKER_PORT=30000.

Note: MASTER_SHM_ID is a parameter that configures the ID of the shared memory, which is used for managing the CUBRID broker. The value of the parameter must be unique in the system (The default value is 30001).

[laisdb@newTest1 ~]$ ps -ef | grep broker ? Check the broker process.
laisdb   23683     1  0 11:46 ?        00:00:00 cub_broker
laisdb   23693     1  0 11:46 ?        00:00:00 cub_broker
laisdb   23694     1  0 11:46 ?        00:00:00 broker1_cub_cas_1
laisdb   23695     1  0 11:46 ?        00:00:00 broker1_cub_cas_2
laisdb   23696     1  0 11:46 ?        00:00:00 broker1_cub_cas_3
laisdb   23697     1  0 11:46 ?        00:00:00 broker1_cub_cas_4
laisdb   23698     1  0 11:46 ?        00:00:00 broker1_cub_cas_5
 
[laisdb@newTest1 ~]$ cubrid broker status ? Check the operational status by using the cubrid broker status command.
@ cubrid broker status
% query_editor  - cub_cas [23683,30000] /home/laisdb/CUBRID/log/broker//query_editor.access /home/laisdb/CUBRID/log/broker//query_editor.err
 JOB QUEUE:0, AUTO_ADD_APPL_SERVER:ON, SQL_LOG_MODE:ALL:100000
 LONG_TRANSACTION_TIME:60.00, LONG_QUERY_TIME:60.00, SESSION_TIMEOUT:300
 KEEP_CONNECTION:AUTO, ACCESS_MODE:RW
----------------------------------------
ID   PID   QPS   LQS PSIZE STATUS
----------------------------------------
 1 23684     0     0 24356 IDLE
 2 23685     0     0 24356 IDLE
 3 23686     0     0 24356 IDLE
 4 23687     0     0 24356 IDLE
 5 23688     0     0 24356 IDLE
 
[laisdb@newTest1 ~]$ netstat -an | grep 30000 ? Check the status of the broker 30000 port that is being used.
tcp        0      0 0.0.0.0:30000               0.0.0.0:*                   LISTEN
 
[laisdb@newTest1 ~]$ vi $CUBRID/conf/cubrid_broker.conf ? Check the broker parameter.
[%query_editor]
SERVICE                      ON
APPL_SERVER                 CAS
BROKER_PORT               30000 ? Change the port before using it.
MIN_NUM_APPL_SERVER     5
MAX_NUM_APPL_SERVER    20 ? The maximum number of available ports.
AUTO_ADD_APPL_SERVER    ON
             :
Note: For Windows, the maximum number of usable ports are determined by the number of all MAX_NUM_APPL_SERVERs + 1. For this reason, an operator must open all ports from 30000 to 30019.

The CUBRID Manager process and port

Because CUBRID Manager is a user management tool, it is possible to use CUBRID even when the CUBRID Manager process has been stopped. The CUBRID Manager process uses cub_auto and cub_js; the cub_auto process authenticates the CUBRID Manager client users, performs periodic automation, and collects diagnostic information, while the cub_js process executes user requests that are transferred from the CUBRID Manager client.

The default port number for communication between the CUBRID manager server and its client is 8001. When the actual connection has been established, two ports are used - the default port and the next largest port (default port number +1). For example, if the value of $CUBRID/conf/cm.conf Parameter cm_port is configured as 8001, ports 8001 and 8002 ports will both be used.

[laisdb@newTest1 ~]$ ps -ef | grep cub_auto ? Check the manager cub-auto process that is being used.
laisdb   28629     1  0 12:18 ?        00:00:00 cub_auto start
 
[laisdb@newTest1 ~]$ ps -ef | grep cub_js ? Check the manager cub-js process that is being used.
laisdb   28632     1  0 12:18 ?        00:00:00 cub_js start
 
[laisdb@newTest1 ~]$ netstat -an | grep 8001 ? Check the manager port in use.
tcp        0      0 0.0.0.0:8001                0.0.0.0:*                   LISTEN

Firewall (iptables)

iptables policy

iptables can be configured as the default firewall policy in the Linux environment. When configuring the firewall by using iptables, select one of the following policies: In most cases, the default firewall policy will ignore both policies for all IP addresses.

  • Allows all IP addresses and rejects restrictions.
  • Rejects all IP addresses and allows only what is needed. (General policy)

iptables settings

iptables is a tool that is used to control kernels and filter IP addresses in Linux. It has 3 types of rule tables - mangle, NET, and Filter. It is a common practice to configure the iptables policy with only the INPUT, FORWARD, and OUTPUT chains, which are the basic chains in the filter rule table.

  • INPUT: An inbound packet to the local machine (the path of IP addresses that are received by the local machine).
  • FORWARD: An intermediary chain between the INPUT and OUTPUT chain. Used when applying the firewall to the router (the path chain of the IP addresses that pass through the firewall).
  • OUTPUT: An outgoing packet (the path of IP addresses that the local machine sends out).

The content of iptables will be reset when the server or the iptables daemon is restarted after iptables has been changed. To prevent iptables from being reset, change the value of the IPTABLES_SAVE_ON_STOP parameter in /etc/sysconfig/iptables-config and change the IPTABLES_SAVE_ON_RESTART setting from "no" to "yes."

Note: The order of the iptables rules is important, as they are applied in sequence.

iptables -L ? The initial policy allows all IP addresses.
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
 
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
 
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
 
******************* Initialize all iptables policies *******************
iptables -F
iptables -X
iptables -Z
******************* Set the default policy for iptables *******************
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
 
iptables -L ? All IP addresses will be rejected.
Chain INPUT (policy DROP)
target     prot opt source               destination
 
Chain FORWARD (policy DROP)
target     prot opt source               destination
 
Chain OUTPUT (policy DROP)
target     prot opt source               destination

iptables options

Options Tasks
-A Adds a new rule to the chain
? iptables -A INPUT (A rule will be added at the end of the INPUT chain.)
-I Inserts a rule at the specific point of the chain. (The order is vital, as rules are applied in sequence.)
? iptables -I INPUT 1 (A rule will be added to the first rule of the INPUT chain.)
-D Deletes the rule that is located at a specific point of the chain.
? iptables -D INPUT 3 (Deletes the third rule of the INPUT chain.)
-F Deletes all rules in the chain (-Z Resets the calculated value of the chain to zero.)
? iptables -F (Deletes all rules configured in iptables.)
-R Replaces a rule that is located at a certain point in the chain.
? iptables -R INPUT 2 (Modifies the second rule in the INPUT chain.)
-X Deletes the chain (use only when the chain is manually created, or when such chains need to be controlled).
-L Displays the rules of certain a chain.
-i ( input interface, // i eth0 is all IP addresses incoming to eth0)
-o ( output interface )
-s Source address (can be specified in letters or numbers as in the following example: packet source IP/domain or 192.168.10.0/24)
-d Destination address (specify the IP address of the packet's destination)
--sport Controls the port number of the source.
--dport Controls the port number of the destination.
-p Controls the protocol (The parameter of the p option can be TCP, UDP, or ICMP).
-j Sets the rule

Note:

  • Location of the iptables daemon: /etc/init.d/iptables
  • To start iptables, use the following: service iptables restart
  • To check the details of iptables after it has been configured, use the following: iptables -vnL
  • To apply the configured settings of iptables, use the following: iptables-save

iptables syntax

The basic syntax of iptables depends on whether the iptables policy is ACCEPT (allow access) or DROP (reject access). Refer to the example below when configuring. (The order of the iptables rules is important, as they are applied in sequence):

  1. Table name (Example: -t  filter/ -t  nat/  -t  mangle) ? if the value of the -t option can be one of the following: filter, nat, or mangle. If it is omitted, the default name (filter) will be assigned to the table.
  2. Chain name (Example: -A  INPUT/ -D  FORWARD/ -I POSTROUTING) ? Configures the table chain
  3. Layer 3 object (Example: -s 192.168.x.10 / -d 10.1.1.0/24) ? -s configures the source address, and -d configures the destination address
  4. Layer 4 object (Example: -p tcp --dport 80/ -p udp  --sport 123) ? -sport configures the port of the source, and  -d configures the port of the destination
  5. Jump (Example: -j DROP/  -j  ACCEPT/ -j  REJECT/ -j  LOG ,,,) ? Configures the status to ACCEPT (allows access), DROP, REJECT (rejects access), or LOG (access log).

1. How to configure iptables when the policy is ACCEPT

Example 1) Disabling the ping command (inside/outside)

iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
iptables -A OUTPUT -p icmp --icmp-type echo-request -j DROP

Example 2) Blocking the outgoing SSH 22 port

iptables -I INPUT 1 -p tcp --sport 22 -j DROP

Example 3) Blocking the IP address 192.168.16.191 of telnet and the Web port

iptables -F (initializes)
iptables -A INPUT -s 192.168.16.191 -p tcp --dport 23 -j DROP
iptables -A INPUT -s 192.168.16.191 -p tcp --dport 80 -j DROP

Example 4) Blocking/unblocking ports by using the multiport command

iptables -I INPUT 1 -p tcp -m multiport --dport 23,80 -j DROP/ACCEPT

Example 5) Blocking/unblocking ports 20 to 80 by using the multiport command

iptables -A INPUT -s 192.168.16.191 -p tcp -m multiport --dport 20:80 -j DROP

2. How to configure iptables when the policy is DROP

Example 1) Opening the outgoing SSH 22 port

iptables –A INPUT -i eth0 –p tcp –m tcp –sport 22 –j ACCEPT
iptables –A OUTPUT -o eth0 –p tcp –m tcp –dport 22 –j ACCEPT

Example 2) Opening the outgoing SSH 22 port of a specific IP address

iptables –A INPUT –s 192.168.16.109 –p tcp –m tcp –sport 22 –j ACCEPT
iptables –A OUTPUT –d 192.168.16.109 –p tcp –m tcp –dport 22 –j ACCEPT

Example 3) Opening the inbound SSH 22 port

iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT 
iptables -A OUTPUT -o eth0 -p tcp -m tcp --sport 22 -j ACCEPT 

Example 4) Opening only the SSH 22 port of the server with the specified IP (192.168.13.45)

iptables -A INPUT -i eth0 -s 192.168.13.45 -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -o eth0 -d 192.168.13.45 -p tcp -m tcp --sport 22 -j ACCEPT

Example 5) Blocking an IP address

iptables –A INPUT –s 192.168.16.109 –j DROP
iptables –A INPUT –s 192.168.16.109 –j REJECT 
iptables –A INPUT –s 192.168.16.109 –p tcp –-dport 23 –j DROP

How to Configure CUBRID and iptables

If the firewall policy of iptables is OPEN only for a specific IP and port, the IP address and port of the target master, broker, and manager servers in which CUBRID is being used must also be OPEN. To configure whether the port should be OPEN for all IP addresses or only for a specific IP, create an internal security policy and apply it to iptables  (This document provides guidelines for both cases).

Configuring the master network port

Port 1523 used by the the CUBRID master does not need to be OPEN unless the broker process is operated in a different server. That is, if CUBRID is used on a single server, the master port should not be OPEN to the outside.

1. Configuring the local interface accessibility

If all the policies of iptables are configured as DROP, the local host interface-in loopback needs to be permitted  (If it is not specified, the master process will not start).

iptables –A INPUT –i lo –j ACCEPT
iptables –A OUTPUT –o lo –j ACCEPT

2. Opening port 1523 of a server to all IP addresses

The following is an example of opening port 1523, which the master uses, to all IP addresses.

iptables -A INPUT -i eth0 -p tcp -m tcp --dport 1523 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m tcp --sport 1523 -j ACCEPT

3. Opening only port 1523 of the server with the specified IP (192.168.13.45)

The following is an example of opening port 1523 of the master to the IP address of 192.168.13.45.

iptables -A INPUT -i eth0 -s 192.168.13.45 -p tcp -m tcp --dport 1523 -j ACCEPT
iptables -A OUTPUT -o eth0 -d 192.168.13.45 -p tcp -m tcp --sport 1523 -j ACCEPT

Configuring broker network port

Configures CUBRID Broker 30000/33000 (default) so that they are usable from the outside.

1. Opening the Broker 30000/33000 ports to all IP addresses

The following is an example of opening ports 30000/33000 that the broker uses to all IP addresses.

iptables -A INPUT -i eth0 -p tcp -m tcp --dport 30000 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m tcp --sport 30000 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 33000 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m tcp --sport 33000 -j ACCEPT

2. Opening only the Broker ports 30000/33000 of the target server

The following is an example of opening Broker ports 30000/33000 ports to an IP address of 192.168.13.45.

iptables -A INPUT -i eth0 -s 192.168.13.45 -p tcp -m tcp --dport 30000 -j ACCEPT
iptables -A OUTPUT -o eth0 -d 192.168.13.45 -p tcp -m tcp --sport 30000 -j ACCEPT
iptables -A INPUT -i eth0 -s 192.168.13.45 -p tcp -m tcp --dport 33000 -j ACCEPT
iptables -A OUTPUT -o eth0 -d 192.168.13.45 -p tcp -m tcp --sport 33000 -j ACCEPT

Configuring manager network port

Configures the ports 8001/8002 (default) so that they are usable from the outside when using CUBRID Manager.

1. Opening the CUBRID Manager ports 8001/8002

The following is an example of opening ports 8001/8002 that the manager uses to all IP addresses.

iptables -A INPUT -i eth0 -p tcp -m tcp --dport 8001 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m tcp --sport 8001 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 8002 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m tcp --sport 8002 -j ACCEPT

2. Opening the ports of the PC on which CUBRID Manager ports 8001/8002 will be used

The following is an example of opening Broker ports 30000/33000 to the IP address of 192.168.13.45.

iptables -A INPUT -i eth0 -s 192.168.13.45 -p tcp -m tcp --dport 8001 -j ACCEPT
iptables -A OUTPUT -o eth0 -d 192.168.13.45 -p tcp -m tcp --sport 8001 -j ACCEPT
iptables -A INPUT -i eth0 -s 192.168.13.45 -p tcp -m tcp --dport 8002 -j ACCEPT 
iptables -A OUTPUT -o eth0 -d 192.168.13.45 -p tcp -m tcp --sport 8002 -j ACCEPT




You are either using a very old browser or a browser that is not supported.
In order to browse cubrid.org you need to have one of the following browsers:



Internet Explorer: Mozilla Firefox: Google Chrome: