-
Notifications
You must be signed in to change notification settings - Fork 652
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Update the setup-iptables documentation.
- Update with the latest connection limit recommendations. - Add instructions for updating the scripts and recommended settings on a node. Signed-off-by: Wade Barnes <wade@neoterictech.ca>
- Loading branch information
1 parent
572162f
commit 300be0b
Showing
1 changed file
with
48 additions
and
47 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,70 +1,71 @@ | ||
| # Setup iptables rules (recommended) | ||
|
|
||
| It is strongly recommended to add iptables (or some other firewall) rule that limits the number of simultaneous clients | ||
| connections for client port. | ||
| There are at least two important reasons for this: | ||
| - preventing the indy-node process from reaching of open file descriptors limit caused by clients connections | ||
| - preventing the indy-node process from large memory usage as ZeroMQ creates the separate queue for each TCP connection. | ||
| It is strongly recommended to add iptables (or some other firewall) rules to limit the number of simultaneous clients | ||
| connections to your node's client port. | ||
|
|
||
| NOTE: limitation of the number of *simultaneous clients connections* does not mean that we limit the | ||
| number of *simultaneous clients* the indy-node works with in any time. The IndySDK client does not keep | ||
| connection infinitely, it uses the same connection for request-response session with some optimisations, | ||
| so it's just about **connections**, **not** about **clients**. | ||
| There are at least two important reasons for this: | ||
| - preventing the indy-node process from exceeding the limit of open file descriptors due to an excessive number of clients connections. | ||
| - controlling the indy-node process's memory use, as ZeroMQ creates a separate queue for each TCP connection. | ||
|
|
||
| Also iptables can be used to deal with various DoS attacks (e.g. syn flood) but rules' parameters are not estimated yet. | ||
| NOTE: The limitation of the number of *simultaneous clients connections* does not mean that we limit the | ||
| number of *simultaneous clients* indy-node works with in any time. Connections are not left open infinitely. The same connection is used for a request-response session with some optimisations and then closed, therefore it's just about **connections**, **not** about **clients**. | ||
|
|
||
| NOTE: you should be a root to operate with iptables. | ||
| NOTE: You will need to have sudo privileges to work with iptables. | ||
|
|
||
| ## Using indy scripts | ||
|
|
||
| ## Setting up clients connections limit | ||
| For ease of use and for people that are not familiar with iptables we've added two scripts: | ||
| - [`setup_iptables`](https://github.com/hyperledger/indy-node/blob/main/scripts/setup_iptables): | ||
| - By default this scripts adds rules to iptables to limit the number of simultaneous clients connections for a specified port. | ||
| - To get a full list of options run `./setup_iptables -h` from the scripts directory. | ||
|
|
||
| #### Using raw iptables command or iptables front-end | ||
| - [`setup_indy_node_iptables`](https://github.com/hyperledger/indy-node/blob/main/scripts/setup_indy_node_iptables): | ||
| - A wrapper around `setup_iptables` which gets client port and connection limit settings from the `/etc/indy/indy.env` that is created by the `init_indy_node` script. | ||
|
|
||
| In case of deb installation the indy-node environment file /etc/indy/indy.env is created by `init_indy_node` script. | ||
| This environment file contains client port (NODE_CLIENT_PORT) and recommended clients connections limit (CLIENT_CONNECTIONS_LIMIT). | ||
| This parameters can be used to add the iptables rule for chain INPUT: | ||
| Which one you use depends on how you installed indy-node on your server. Refer to the [For deb package based installations](#for-deb-package-based-installations), and [For pip based installations](#for-pip-based-installations) sections below. | ||
|
|
||
| ``` | ||
| # iptables -I INPUT -p tcp --syn --dport 9702 -m connlimit --connlimit-above 500 --connlimit-mask 0 -j REJECT --reject-with tcp-reset | ||
| ``` | ||
| Some key options: | ||
| - --dport - a port for which limit is set | ||
| - --connlimit-above - connections limit, exceeding new connections will be rejected using TCP reset | ||
| - --connlimit-mask - group hosts using the prefix length, 0 means "all subnets" | ||
| ### Updating the scripts and configuration | ||
|
|
||
| Corresponding fields should be set in case of some iptables front-end usage. | ||
| Before you run the scripts you should ensure you are using the latest scripts and recommended settings by following these steps while logged into your node: | ||
|
|
||
| 1. Make a backup copy of the existing `setup_iptables` script by executing the command: | ||
| ``` | ||
| sudo cp /usr/local/bin/setup_iptables /usr/local/bin/setup_iptables_$(date "+%Y%m%d-%H%M%S") | ||
| ``` | ||
|
|
||
| #### Using indy scripts | ||
| 1. Update the default client connection limit to 15000 in `/etc/indy/indy.env`. | ||
| - NOTE: | ||
| - `/etc/indy/indy.env` only exists for deb package based installations. | ||
| - `\1` is an excape sequence `\115000` is not a typo. | ||
| ``` | ||
| sudo sed -i -re "s/(^CLIENT_CONNECTIONS_LIMIT=).*$/\115000/" /etc/indy/indy.env | ||
| ``` | ||
|
|
||
| For ease of use and for people that are not familiar with iptables we've | ||
| added two scripts: | ||
| - setup_iptables: adds a rule to iptables to limit the number of simultaneous | ||
| clients connections for specified port; | ||
| - setup_indy_node_iptables: a wrapper for setup_iptables script which gets client | ||
| port and recommended connections limit from indy-node environment file that is created by init_indy_node script. | ||
| 1. Download the latest version of the script. | ||
| ``` | ||
| sudo curl -o /usr/local/bin/setup_iptables https://raw.githubusercontent.com/hyperledger/indy-node/main/scripts/setup_iptables | ||
| ``` | ||
| The sha256 checksum for the current version of the script is `a0e4451cc49897dc38946091b245368c1f1360201f374a3ad121925f9aa80664` | ||
|
|
||
| Links to these scripts: | ||
|
|
||
| - https://github.com/hyperledger/indy-node/blob/master/scripts/setup_iptables | ||
| - https://github.com/hyperledger/indy-node/blob/master/scripts/setup_indy_node_iptables | ||
|
|
||
| NOTE: for now the iptables chain for which the rule is added is not parameterized, | ||
| the rule is always added for INPUT chain, we can parameterize it in future if needed. | ||
| ### For deb package based installations | ||
|
|
||
| ###### For deb installation | ||
| To setup the limit of the number of simultaneous clients connections it is enough to run the following script without parameters | ||
| Run: | ||
| ``` | ||
| # setup_indy_node_iptables | ||
| setup_indy_node_iptables | ||
| ``` | ||
| This script gets client port and recommended connections limit from the indy-node environment file. | ||
| NOTE: | ||
| - This script should only be called *after* your node has been initialized using `init_indy_node`, to ensure `/etc/indy/indy.env` has been created. | ||
|
|
||
| NOTE: this script should be called *after* `init_indy_node` script. | ||
| ### For pip based installations | ||
|
|
||
| ###### For pip installation | ||
| The `setup_indy_node_iptables` script can not be used in case of pip installation as indy-node environment file does not exist, | ||
| use the `setup_iptables` script instead (9702 is a client port, 500 is recommended limit for now) | ||
| For pip based installations `/etc/indy/indy.env` does not exist, therefore `setup_indy_node_iptables` cannot be used. Instead you run `setup_iptables` directly. | ||
|
|
||
| For example, if your client port is 9702, you would run: | ||
| ``` | ||
| # setup_iptables 9702 500 | ||
| setup_iptables 9702 15000 | ||
| ``` | ||
| In fact, the `setup_indy_node_iptables` script is just a wrapper for the `setup_iptables` script. | ||
|
|
||
| ## Using raw iptables command or iptables front-end | ||
|
|
||
| If you are confident with using iptables, you may add additional rules as you see fit using iptables directly. |