Chapter 8. Endpoint IP Filtering
Configure IP Filtering rules on the endpoints to accept or reject connections based on the client address.
8.1. Data Grid Server IP Filter Configuration
Data Grid endpoints and connectors can specify one or more IP filtering rules. These rules specify the type of action to take when a client which matches a supplied CIDR block connects. IP filtering rules are applied in order up until the first one that matches.
A CIDR block is a compact representation of an IP address and its associated network mask. CIDR notation specifies an IP address, a slash ('/') character, and a decimal number. The decimal number is the count of leading 1 bits in the network mask. The number can also be thought of as the width, in bits, of the network prefix. The IP address in CIDR notation is always represented according to the standards for IPv4 or IPv6.
The address can denote a specific interface address, including a host identifier, such as 10.0.0.1/8
, or it can be the beginning address of an entire network interface range using a host identifier of 0, as in 10.0.0.0/8
or 10/8
.
For example:
-
192.168.100.14/24
represents the IPv4 address192.168.100.14
and its associated network prefix192.168.100.0
, or equivalently, its subnet mask255.255.255.0
, which has 24 leading 1-bits. -
the IPv4 block
192.168.100.0/22
represents the 1024 IPv4 addresses from192.168.100.0
to192.168.103.255
. -
the IPv6 block
2001:db8::/48
represents the block of IPv6 addresses from2001:db8:0:0:0:0:0:0
to2001:db8:0:ffff:ffff:ffff:ffff:ffff
. -
::1/128
represents the IPv6 loopback address. Its prefix length is 128 which is the number of bits in the address.
<endpoints socket-binding="default" security-realm="default"> <ip-filter> <accept from="192.168.0.0/16"/> <accept from="10.0.0.0/8"/> <reject from="/0"/> </ip-filter> <hotrod-connector name="hotrod"/> <rest-connector name="rest"/> </endpoints>
As a result of the preceding configuration, Data Grid servers accept connections only from addresses in the 192.168.0.0/16
and 10.0.0.0/8
CIDR blocks. Data Grid servers reject all other connections.
8.2. Inspecting and Modifying Data Grid Server IP Filter Rules
Server IP filter rules can be manipulated via the CLI.
Procedure
-
Open a terminal in
$RHDG_HOME
. Inspect and modify the IP filter rules
server connector ipfilter
command as required.List all IP filtering rules active on a connector across the cluster:
[//containers/default]> server connector ipfilter ls endpoint-default
Set IP filtering rules across the cluster.
NoteThis command replaces any existing rules.
[//containers/default]> server connector ipfilter set endpoint-default --rules=ACCEPT/192.168.0.0/16,REJECT/10.0.0.0/8`
Remove all IP filtering rules on a connector across the cluster.
[//containers/default]> server connector ipfilter clear endpoint-default