Server

CUBRID Port and iptables (firewall) Configuration

posted Jun 24, 2020

Introduction: This document describes how to configure the port and firewall information used by CUBRID, using a document based on Linux's iptables firewall settings.

Applicable system: CUBRID 10.2.

iptables tool version: v1.4.21

 

The Architecture of CUBRID

CUBRID has a typical 3-tier structure in which applications, BROKERS, and databases are separated. The connection between CUBRID processes is formed when a BROKER establishes the initial connection at the request from an application, and then the master establishes a connection to the target database according to the provided connection information.

 

CUBRID Port

CUBRID PORT is shared by Unix, Linux, and Windows, and consists of Master, Broker, and Manager.

 

Database process and port

In CUBRID, a database server (cub_server) operates as a single server process for each database. Because the master establishes a connection with the target database according to the information provided by the request from the application, the operator does not need to manually configure the database port.

 

  • Check the DB server processes from demodb
[cubrid@dbms ~]$ ps -ef | grep cub_server        
cubrid      343      1  6 03:40 ?        00:00:07 cub_server demodb

 

  • Check the DB server processes by a CUBRID command
[cubrid@dbms ~]$ cubrid server status             
@ cubrid server status
 Server demodb (rel 10.2, pid 343)

 

Master process and port

The master process (cub_master) is a relay process that receives the request of a CUBRID client (cub_cas OR csql) and connects to the target database. The default port number used by the master process is 1523. To change the port, modify the value of cubrid_port_id=1523 in the $CUBRID/conf/cubrid.conf parameter.

 

  • Check the operating master process
[cubrid@dbms ~]$ ps -ef | grep cub_master 
cubrid      340      1  0 03:40 pts/1    00:00:00 cub_master

 

  • Check the master port in use
[cubrid@dbms ~]$ netstat -an |grep 1523 
tcp        0      0 0.0.0.0:1523            0.0.0.0:*               LISTEN

 

Broker process and port

A broker is a middleware that allows a variety of applications to be connected to the database server. The CUBRID Broker consists of cub_broker and cub_cas. cub_broker relays the connection between an application client and cub_cas. When an application client requests access, the cub_broker checks the status of the cub_cas through the shared memory, and passes the request to an accessible cub-cas. The cub_cas then provides a connection to the database server.

To change the broker port, modify the value of $CUBRID/conf/cubrid_broker.conf Parameter BROKER_PORT=30000.

Note: MASTER_SHM_ID is a parameter that configures the ID of the shared memory, which is used for managing the CUBRID broker. The value of the parameter must be unique in the system (The default value is 30001).

 

  • Check the broker process
[cubrid@dbms conf]$ ps -ef |grep broker 
cubrid     1449      1  0 03:48 ?        00:00:00 cub_broker
cubrid     1462      1  0 03:48 ?        00:00:00 cub_broker
cubrid     1464      1  0 03:48 ?        00:00:00 broker1_cub_cas_1
cubrid     1465      1  0 03:48 ?        00:00:00 broker1_cub_cas_2
cubrid     1466      1  0 03:48 ?        00:00:00 broker1_cub_cas_3
cubrid     1467      1  0 03:48 ?        00:00:00 broker1_cub_cas_4
cubrid     1468      1  0 03:48 ?        00:00:00 broker1_cub_cas_5

 

  • Check the operational status by using the cubrid broker status command.
[cubrid@dbms conf]$ cubrid broker status 
@ cubrid broker status
% query_editor
----------------------------------------------------------------------
        ID   PID                  QPS        LQS   PSIZE STATUS
----------------------------------------------------------------------
         1  1450                    0          0   39820 IDLE
         2  1451                    0          0   39820 IDLE
         3  1452                    0          0   39820 IDLE
         4  1453                    0          0   39820 IDLE
         5  1454                    0          0   39820 IDLE

% broker1
----------------------------------------------------------------------
        ID   PID                  QPS        LQS   PSIZE STATUS
----------------------------------------------------------------------
         1  1464                    0          0   39820 IDLE
         2  1465                    0          0   39820 IDLE
         3  1466                    0          0   39820 IDLE
         4  1467                    0          0   39820 IDLE
         5  1468                    0          0   39820 IDLE

 

  • Check the status of the broker 30000 port that is being used.
[cubrid@dbms conf]$ netstat -an | grep 30000 
tcp        0      0 0.0.0.0:30000           0.0.0.0:*               LISTEN

 

  • Check the broker parameter.
[cubrid@dbms conf]$ vi $CUBRID/conf/cubrid_broker.conf
[%query_editor]
SERVICE                      ON
APPL_SERVER                 CAS
BROKER_PORT               30000              * Change the port before using it.
MIN_NUM_APPL_SERVER     5
MAX_NUM_APPL_SERVER    20                    * The maximum number of available ports.
AUTO_ADD_APPL_SERVER    ON                   

Note: For Windows, the maximum number of usable ports are determined by the number of all MAX_NUM_APPL_SERVERs + 1. For this reason, an operator must open all ports from 30000 to 30019. 

 

The CUBRID Manager process and port

Because CUBRID Manager is a user management tool, it is possible to use CUBRID even when the CUBRID Manager process has been stopped. The CUBRID Manager process uses cub_manager.

The default port number for communication between the CUBRID manager server and its client is 8001. When the actual connection has been established, two ports are used - the default port and the next largest port (default port number +1). For example, if the value of $CUBRID/conf/cm.conf Parameter cm_port is configured as 8001, ports 8001 port will be used.

 

  • Check the manager cub_auto process that is being used.
[cubrid@dbms conf]$ ps -ef |grep manager 
cubrid      306      1  0 03:40 ?        00:00:00 cub_manager start

 

  • Check the manager port in use.
[cubrid@dbms conf]$ netstat -an | grep 8001
tcp        0      0 0.0.0.0:8001            0.0.0.0:*               LISTEN

 

Firewall (iptables)

iptables policy

iptables can be configured as the default firewall policy in the Linux environment. When configuring the firewall by using iptables, select one of the following policies: In most cases, the default firewall policy will ignore both policies for all IP addresses.

  • Allows all IP addresses and rejects restrictions.
  • Rejects all IP addresses and allows only what is needed. (General policy)

iptables settings

iptables is a tool that is used to control kernels and filter IP addresses in Linux. It has 3 types of rule tables - mangle, NET, and Filter. It is a common practice to configure the iptables policy with only the INPUT, FORWARD, and OUTPUT chains, which are the basic chains in the filter rule table.

  • INPUT: An inbound packet to the local machine (the path of IP addresses that are received by the local machine).
  • FORWARD: An intermediary chain between the INPUT and OUTPUT chain. Used when applying the firewall to the router (the path chain of the IP addresses that pass through the firewall).
  • OUTPUT: An outgoing packet (the path of IP addresses that the local machine sends out).

The content of iptables will be reset when the server or the iptables daemon is restarted after iptables has been changed. To prevent iptables from being reset, change the value of the IPTABLES_SAVE_ON_STOP parameter in /etc/sysconfig/iptables-config and change the IPTABLES_SAVE_ON_RESTART setting from "no" to "yes."

Note: The order of the iptables rules is important, as they are applied in sequence.

 

  • The initial policy allows all IP addresses.
[root@dbms ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination 
******************* Initialize all iptables policies *******************
% iptables –F
% iptables –X
% iptables –Z
******************* Set the default policy for iptables *******************
[root@dbms ~]# iptables --policy INPUT DROP
[root@dbms ~]# iptables --policy FORWARD DROP
[root@dbms ~]# iptables --policy OUTPUT DROP

 

  • All IP addresses will be rejected.
[root@dbms ~]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
 
Chain FORWARD (policy DROP)
target     prot opt source               destination
 
Chain OUTPUT (policy DROP)
target     prot opt source               destination

 

iptables options

Options Tasks
-A Adds a new rule to the chain
iptables -A INPUT (A rule will be added at the end of the INPUT chain.)
-I Inserts a rule at the specific point of the chain. (The order is vital, as rules are applied in sequence.)
iptables -I INPUT 1 (A rule will be added to the first rule of the INPUT chain.)
-D Deletes the rule that is located at a specific point of the chain.
iptables -D INPUT 3 (Deletes the third rule of the INPUT chain.)
-F Deletes all rules in the chain (-Z Resets the calculated value of the chain to zero.)
iptables -F (Deletes all rules configured in iptables.)
-R Replaces a rule that is located at a certain point in the chain.
iptables -R INPUT 2 (Modifies the second rule in the INPUT chain.)
-X Deletes the chain (use only when the chain is manually created, or when such chains need to be controlled).
-L Displays the rules of certain a chain.
-i ( input interface, // i eth0 is all IP addresses incoming to eth0)
-o ( output interface )
-s Source address (can be specified in letters or numbers as in the following example: packet source IP/domain or 192.168.10.0/24)
-d Destination address (specify the IP address of the packet's destination)
--sport Controls the port number of the source.
--dport Controls the port number of the destination.
-p Controls the protocol (The parameter of the p option can be TCP, UDP, or ICMP).
-j Sets the rule

Note:

  • Location of the iptables daemon: /etc/init.d/iptables
  • To start iptables, use the following: service iptables restart
  • To check the details of iptables after it has been configured, use the following: iptables -vnL
  • To apply the configured settings of iptables, use the following: iptables-save

 

 

iptables syntax

The basic syntax of iptables depends on whether the iptables policy is ACCEPT (allow access) or DROP (reject access). Refer to the example below when configuring. (The order of the iptables rules is important, as they are applied in sequence):

1. Table name (Example: -t  filter/ -t  nat/  -t  mangle) if the value of the -t option can be one of the following: filter, nat, or mangle. If it is omitted, the default name (filter) will be assigned to the table.

2. Chain name (Example: -A  INPUT/ -D  FORWARD/ -I POSTROUTING) Configures the table chain

3. Layer 3 object (Example: -s 192.168.x.10 / -d 10.1.1.0/24) -s configures the source address, and –d configures the destination address

4. Layer 4 object (Example: -p tcp --dport 80/ -p udp  --sport 123) -sport configures the port of the source, and  –d configures the port of the destination

5. Jump (Example: -j DROP/  -j  ACCEPT/ -j  REJECT/ -j  LOG ,,,) Configures the status to ACCEPT (allows access), DROP, REJECT (rejects access), or LOG (access log).

 

1. How to configure iptables when the policy is ACCEPT

  • Example 1) Disabling the ping command (inside/outside)
[root@dbms ~]# iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
[root@dbms ~]# iptables -A OUTPUT -p icmp --icmp-type echo-request -j DROP

 

  • Example 2) Blocking the outgoing SSH 22 port
[root@dbms ~]# iptables -I INPUT 1 -p tcp --sport 22 -j DROP

 

  • Example 3) Blocking the IP address 192.168.16.191 of telnet and the Web port
[root@dbms ~]# iptables –F (initializes)
[root@dbms ~]# iprables –A INPUT –s 192.168.16.191 –p tcp --dport 23 –j DROP
[root@dbms ~]# iptables -A INPUT -s 192.168.16.191 -p tcp --dport 80 -j DROP

 

  • Example 4) Blocking/unblocking ports by using the multiport command
[root@dbms ~]# iptables –I INPUT 1 –p tcp –m multiport --dport 23,80 –j DROP/ACCEPT

 

  • Example 5) Blocking/unblocking ports 20 to 80 by using the multiport command
[root@dbms ~]# iptables -A INPUT -s 192.168.16.191 -p tcp -m multiport --dport 20:80 -j DROP

 

2. How to configure iptables when the policy is DROP

  • Example 1) Opening the outgoing SSH 22 port
[root@dbms ~]# iptables –A INPUT -i eth0 –p tcp –m tcp –sport 22 –j ACCEPT
[root@dbms ~]# iptables –A OUTPUT -o eth0 –p tcp –m tcp –dport 22 –j ACCEPT

 

  • Example 2) Opening the outgoing SSH 22 port of a specific IP address
[root@dbms ~]# iptables –A INPUT –s 192.168.16.109 –p tcp –m tcp –sport 22 –j ACCEPT
[root@dbms ~]# iptables –A OUTPUT –d 192.168.16.109 –p tcp –m tcp –dport 22 –j ACCEPT

 

  • Example 3) Opening the inbound SSH 22 port
[root@dbms ~]# iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT 
[root@dbms ~]# iptables -A OUTPUT -o eth0 -p tcp -m tcp --sport 22 -j ACCEPT 

 

  • Example 4) Opening only the SSH 22 port of the server with the specified IP (192.168.13.45)
[root@dbms ~]# iptables -A INPUT -i eth0 -s 192.168.13.45 -p tcp -m tcp --dport 22 -j ACCEPT
[root@dbms ~]# iptables -A OUTPUT -o eth0 -d 192.168.13.45 -p tcp -m tcp --sport 22 -j ACCEPT

 

  • Example 5) Blocking an IP address
[root@dbms ~]# iptables –A INPUT –s 192.168.16.109 –j DROP
[root@dbms ~]# iptables –A INPUT –s 192.168.16.109 –j REJECT

It is not recommended to use REJECT, as it is vulnerable to the DDoS attacks, which overload server responses.

 

[root@dbms ~]# iptables –A INPUT –s 192.168.16.109 –p tcp –-dport 23 –j DROP

Blocks the 192.168.16.109 IP telnet 23 port

 

How to Configure CUBRID and iptables

If the firewall policy of iptables is OPEN only for a specific IP and port, the IP address and port of the target master, broker, and manager servers in which CUBRID is being used must also be OPEN. To configure whether the port should be OPEN for all IP addresses or only for a specific IP, create an internal security policy and apply it to iptables  (This document provides guidelines for both cases).

Configuring the master network port

Port 1523 used by the the CUBRID master does not need to be OPEN unless the broker process is operated in a different server. That is, if CUBRID is used on a single server, the master port should not be OPEN to the outside.

1. Configuring the local interface accessibility

If all the policies of iptables are configured as DROP, the local host interface-in loopback needs to be permitted  (If it is not specified, the master process will not start).

[root@dbms ~]# iptables -A INPUT -i lo -j ACCEPT
[root@dbms ~]# iptables -A OUTPUT -i lo -j ACCEPT

 

2. Opening port 1523 of a server to all IP addresses

The following is an example of opening port 1523, which the master uses, to all IP addresses.

[root@dbms ~]# iptables -A INPUT -i eth0 -p tcp -m tcp --dport 1523 -j ACCEPT
[root@dbms ~]# iptables -A OUTPUT -o eth0 -p tcp -m tcp --sport 1523 -j ACCEPT

 

3. Opening only port 1523 of the server with the specified IP (192.168.13.45)

The following is an example of opening port 1523 of the master to the IP address of 192.168.13.45.

[root@dbms ~]# iptables -A INPUT -i eth0 -s 192.168.13.45 -p tcp -m tcp --dport 1523 -j ACCEPT
[root@dbms ~]# iptables -A OUTPUT -o eth0 -d 192.168.13.45 -p tcp -m tcp --sport 1523 -j ACCEPT

 

Configuring broker network port

Configures CUBRID Broker 30000/33000 (default) so that they are usable from the outside.

1. Opening the Broker 30000/33000 ports to all IP addresses

The following is an example of opening ports 30000/33000 that the broker uses to all IP addresses.

[root@dbms ~]# iptables -A INPUT -i eth0 -p tcp -m tcp --dport 30000 -j ACCEPT
[root@dbms ~]# iptables -A OUTPUT -o eth0 -p tcp -m tcp --sport 30000 -j ACCEPT 
[root@dbms ~]# iptables -A INPUT -i eth0 -p tcp -m tcp --dport 33000 -j ACCEPT
[root@dbms ~]# iptables -A OUTPUT -o eth0 -p tcp -m tcp --sport 33000 -j ACCEPT 

 

2. Opening only the Broker ports 30000/33000 of the target server

The following is an example of opening Broker ports 30000/33000 ports to an IP address of 192.168.13.45

[root@dbms ~]# iptables -A INPUT -i eth0 -s 192.168.13.45 -p tcp -m tcp --dport 30000 -j ACCEPT
[root@dbms ~]# iptables -A OUTPUT -o eth0 -d 192.168.13.45 -p tcp -m tcp --sport 30000 -j ACCEPT
[root@dbms ~]# iptables -A INPUT -i eth0 -s 192.168.13.45 -p tcp -m tcp --dport 33000 -j ACCEPT
[root@dbms ~]# iptables -A OUTPUT -o eth0 -d 192.168.13.45 -p tcp -m tcp --sport 33000 -j ACCEPT

 

Configuring manager network port

1. Opening the CUBRID Manager ports 8001

The following is an example of opening ports 8001 that the manager uses to IP addresses.

[root@dbms ~]# iptables -A INPUT -i eth0 -p tcp -m tcp --dport 8001 -j ACCEPT
[root@dbms ~]# iptables -A OUTPUT -o eth0 -p tcp -m tcp --sport 8001 -j ACCEPT
[root@dbms ~]# iptables -A INPUT -i eth0 -p tcp -m tcp --dport 8002 -j ACCEPT
[root@dbms ~]# iptables -A OUTPUT -o eth0 -p tcp -m tcp --sport 8002 -j ACCEPT

 

2. Opening the ports of the PC on which CUBRID Manager ports 8001 used

The following is an example of opening Broker ports 30000/33000 to the IP address of 192.168.13.45.

[root@dbms ~]# iptables -A INPUT -i eth0 -s 192.168.13.45 -p tcp -m tcp --dport 8001 -j ACCEPT
[root@dbms ~]# iptables -A OUTPUT -o eth0 -d 192.168.13.45 -p tcp -m tcp --sport 8001 -j ACCEPT