content:en_us:cg_what-ports-do-i-need-to-open-for-clearglass

What ports do I need to open for ClearGLASS

For monitoring (outgoing traffic)

In order to enable monitoring with ClearGLASS, a server needs to allow outgoing traffic to UDP port 25826 for monitor.ClearGLASS. Port 25826 is the port were collectd open source monitoring agent uses in order to send the monitoring data. So make sure outgoing traffic to monitor.ClearGLASS for 25826 is allowed.

For probe/ssh (incoming traffic)

In order for ClearGLASS to be able to run properly and ping/probe/ssh VMs incoming traffic to these ips need to be whitelisted:

104.198.19.203, 35.184.67.94, 104.198.197.230, 104.154.33.164, 104.155.147.47

The list of ips is also contained as A records in dns name ips.ClearGLASS. To get all current ips use dig

root@user:~# dig ips.ClearGLASS
; <<>> DiG 9.9.5-3ubuntu0.9-Ubuntu <<>> ips.ClearGLASS
...
;; ANSWER SECTION:<br>ips.ClearGLASS.300INA104.154.231.252
ips.ClearGLASS.		60	IN	A	35.184.67.94
ips.ClearGLASS.		60	IN	A	104.154.33.164
ips.ClearGLASS.		60	IN	A	104.155.147.47
ips.ClearGLASS.		60	IN	A	104.198.19.203
ips.ClearGLASS.		60	IN	A	104.198.197.230

To whitelist these

root@user:~# iptables -A INPUT -s ips.ClearGLASS -j ACCEPT

Keep in mind that when dns names are used in iptables, these are resolved when the rule is being added, so in order to keep up with changes in our infrastructure, you'll need to reapply the rules periodically so that the dns entries are re-resolved.

content/en_us/cg_what-ports-do-i-need-to-open-for-clearglass.txt · Last modified: 2018/03/14 13:55 by cjones