1 Key and Configuration Encryption
2 Customisation
3 Setup Couchdb Replication
4 Yarnman HTTP Certificate Notes
- - 4.1.1 Generate CSR
    - - 4.1.1.1.1 Verification
    - 4.1.1.2 Configuring Intermediate CA Certificates
      - 4.1.1.2.1 Verification
- 4.2 Photon iptables
  - 4.2.1 default ip4save
  - 4.2.2 Logging
  - 4.2.3 Monitoring

Key and Configuration Encryption

A script will be added in the future to automate creation of the clevis.json although it will require out of band collection of the thp

Collect the thp (thumbprint for each tang servers individually this is a unique identifier for each nodes tang server
1. yarnman@ym-ph-test [ ~ ]$ sudo ym-service-commands.sh tang-thp E7SN3eGxrnyoGiHGJBt4GDU8MRw OR if older versions this command was previously yarnman@ym-ph-test [ ~ ]$ sudo ym-service-commands.sh tang-adv E7SN3eGxrnyoGiHGJBt4GDU8MRw
Run the key and config encryption
- Node1 sudo ym-encrypt-at-rest.sh Database key found proceeding Number of pins required for decryption :1 Number of pins this must be equal or greater than the number of pins required for decryption :3 Enter URL for tang server 1 :http://10.101.10.13:6655 Enter THP for tang server 1 :o38piqOs5UwunlcUmqMVwulml34 Connection successful to : http://10.101.10.10:6655 Enter URL for tang server 2 :http://10.101.10.11:6655 Enter THP for tang server 2 :0Lqk7DroJ0g3patTCgTweMUAHPc Connection successful to : http://10.101.10.11:6655 Enter URL for tang server 3 :http://10.101.10.12:6655 Enter THP for tang server 3 :GEpmSTQfz8ctVxdgQEp_rnS3za Connection successful to : http://10.101.10.12:6655 ... Node4 sudo ym-encrypt-at-rest.sh Database key found proceeding Number of pins required for decryption :1 Number of pins this must be equal or greater than the number of pins required for decryption :3 Enter URL for tang server 1 :http://10.101.10.10:6655 Enter THP for tang server 1 :DwLco7FJtXWxFTprQ5M3cojJsZo Connection successful to : http://10.101.10.10:6655 Enter URL for tang server 2 :http://10.101.10.11:6655 Enter THP for tang server 2 :0Lqk7DroJ0g3patTCgTweMUAHPc Connection successful to : http://10.101.10.11:6655 Enter URL for tang server 3 :http://10.101.10.12:6655 Enter THP for tang server 3 :GEpmSTQfz8ctVxdgQEp_rnS3za Connection successful to : http://10.101.10.12:6655

Do not include the Local server in the encryption at rest. If you have 4 Nodes, you will enter in Number of Pins as 3, and exclude the IP address of the local server

Customisation

These manual customisations will be moved into scripts in a future release

When editing .yml document ensure that the correct space indentation for the relevent lines

Yarnman Application Additional Ports

With yarn_man Photon additional steps are required for Adding Secondary Local Auth Administration Access

Enable the Additional listening port with the ym-edit-config command
- yarnman@yarnman-1 [ ~ ]$ sudo ym-edit-config.sh enable-local-admin-access
- You will be prompted to restart the Yarnman service
- Port 3999 is the default alternative port to be used
The following file is modified by the script. Snippet shown for reference
- /var/opt/yarnlab/yarnman/docker-compose-override.yml
- version: '3.7' services: yarnman: ports: - "3999:3999"
Create the 2nd Administration application and ensure the port is 3999 and binding address is 0.0.0.0
You will now be able to access the second administration application on port 3999 using https://<IP address>:3999/
- NOTE that http to https redirect will not work on this port and https:// must be entered
- It is suggested to use in private browser or similar as the authentication sessions will conflict with LDAP users and the older session will close

Enable database access for Replication

This step must be performed to enable couchdb clustering on every node

Enable the listening port for couchdb for replication
- sudo ym-edit-config.sh enable-local-couchdb-access
- You will be prompted to restart the yarnman service
- Port 6984 will be used
The following file is modified by the script. Snippet shown for reference
- /var/opt/yarnlab/yarnman/docker-compose-override.yml
- version: '3.7' services: couchdb: ports: - "6984:6984"
- Optionally access to couchdb can be restricted to IP addresses using iptables

Changing private key default passphrase

This step requires root access
- to switch to root access run the following command “su root” and enter the root password set during installation
- If the encryption at rest process has been run previously the private key must be decrypted
  - If the key is not encrypted skip the decryption step
  - to verify run the following command If no file is found that means the key is encrypted
  - ls -la /var/opt/yarnlab/yarnman/config/private-encryption-key.pem ls: cannot access '/var/opt/yarnlab/yarnman/config/private-encryption-key.pem': No such file or directory
  - to verify the key is encrypted
  - ls -la /var/opt/yarnlab/yarnman/config/private-encryption-key.pem.jwe -rw-r--r-- 1 ym-yarnman-app ym-yarnman-app-gp 8129 Nov 14 03:40 /var/opt/yarnlab/yarnman/config/private-encryption-key.pem.jwe
Switch into docker container by running the following command - Note that the prompt changes from the root to container shell
- docker exec -it ym-yarnman /bin/bash ym-yarnman-app@yl-ym-yarnman:/opt/yarnlab/yarnman$
to decrypt the key run the following command
- clevis decrypt < /opt/yarnlab/yarnman/config/private-encryption-key.pem.jwe > /opt/yarnlab/yarnman/config/private-encryption-key.pem
reset permissions
- chmod 600 /opt/yarnlab/yarnman/config/private-encryption-key.pem
change passphrase from default “yarnman”
- ssh-keygen -p -f /opt/yarnlab/yarnman/config/private-encryption-key.pem Enter old passphrase: Enter new passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved with the new passphrase.
backup old key
- mv /opt/yarnlab/yarnman/config/private-encryption-key.pem.jwe /opt/yarnlab/yarnman/config/private-encryption-key.pem.jwe.bk
exit the container shell
- exit exit root@ym-ph-test [ /var/opt/yarnlab/ ]#
- verify the key is decrypted and ensure the that
- ls -la /var/opt/yarnlab/yarnman/config/private-encryption-key.pem -rw-r--r-- 1 ym-yarnman-app ym-yarnman-app-gp 3326 Nov 20 20:21 /var/opt/yarnlab/yarnman/config/private-encryption-key.pem
add new passphrase to /var/opt/yarnlab/yarnman/config/local.yaml
- encryption: dbPassphrase: 'somepassword'
- TO update yq -i '.encryption.dbPassphrase = "somepassword"' /var/opt/yarnlab/yarnman/config/local.yaml
encrypt passphrase
- docker exec ym-yarnman node ./scripts/encrypt-local-config.js -k encryption.dbPassphrase 1668977064139 INFO Starting the encryption of 1 local configuration fields through Clevis Shamir Secret Sharing 1668977064142 INFO Attempting to encrypt the following local config fields: encryption.dbPassphrase 1668977064371 INFO Local key 'encryption.dbPassphrase' encrypted successfully 1668977064371 INFO 1 local config fields encrypted, 0 fields omitted
- verify
  - cat cat /var/opt/yarnlab/yarnman/config/local.yaml
re encrypt keys
- docker exec ym-yarnman node ./scripts/encrypt-keys.js 1668977138519 INFO Encrypting private and SSL keys using settings: 1668977138521 INFO - not overwriting existing encrypted files and not deleting any original files after encryption 1668977138522 INFO -------------------------------- 1668977138522 INFO Encrypting... 1668977138768 INFO - 'private-encryption-key.pem' encrypted successfully 1668977138768 INFO - 'ssl-key.pem' already encrypted, not overwriting 1668977138768 INFO -------------------------------- 1668977138768 INFO Finished encrypting the files
restart services
- systemctl restart yarnman
- verify while services are restarting look for
  - docker logs ym-yarnman -f 2|administration-app-b6925c3239fc4c878ff6888ce5cb2b51 | 1668977206414 INFO Decrypting 1 encrypted configuration keys 2|administration-app-b6925c3239fc4c878ff6888ce5cb2b51 | 1668977206415 INFO Decrypting configuration key 'encryption.dbPassphrase' 2|administration-app-b6925c3239fc4c878ff6888ce5cb2b51 | 1668977206500 INFO Configuration key 'encryption.dbPassphrase' decrypted successfully 2|administration-app-b6925c3239fc4c878ff6888ce5cb2b51 | 1668977206500 INFO Finished decrypting 1 configuration keys

Setup Couchdb Replication

Its recommended to have completed the the Yarngate LDAP configuration with at least 1 role configured before completing replication on additional nodes for the first time time setup. Refer to Yarngate Service Setup for more information

login to yarnman administration application web interface
Navigate to Authentication database
- Rename the Default Authentication Database name from “Central DB” to “<Node Name> Central DB” or other suitably unique name
Navigate to Authentication Policies
- Rename the Default Authentication Policy name from “Central DB-Only Policy” to “<Node Name> Central DB-Only Policy” or other suitably unique name
Navigate to Nodes and select the Standalone node
Update the yarnman node name
Navigate to Nodes , select the node you wanted to setup and click on the Replication tab
Click on Add Replication
- Enter the source and target connection strings
  - Source Address Syntax https://10.222.1.4:6984 - NOTE that the default source address is 10.222.1.4
    - Source address: https://10.222.1.4:6984
    - Source username: architect
    - source password: somepassword
  - Remote address Syntax https://<TargetIP>:6984
    - Target address https://10.101.10.10:6984
    - Target username: architect
    - Target password: somepassword
Once replication is setup status can be reviewed by clicking on the replication address, eg https://10.101.10.10:6984 . If the replication shows blank, the Sync button can be pressed to kick off replication again.
Repeat for each pair of nodes to achieve a full mesh
- If there are 2 datacenters repeat for each primary node in each data centre -
  - 2 node - 2 replications
    - n1->n2
    - n2->n1
  - 3 node - 6 replications
    - n1->n2
    - n1->n3
    - n2->n1
    - n2->n3
    - n3->n1
    - n3->n2
  - 4 node - 12 replications
    - n1->n2
    - n1->n3
    - n1->n4
    - n2->n1
    - n2->n3
    - n2->n4
    - n3->n1
    - n3->n2
    - n3->n4
    - n4->n1
    - n4->n2
    - n4->n3

Yarnman HTTP Certificate Notes

This is a manual proces until https://yarnlab.atlassian.net/browse/YMN-4962

Generate CSR

Switch user to root
- su root
Run the following command to create the CSR request config file
- nano /var/opt/yarnlab/yarnman/config/yarnman-ssl.cnf
- copy the following content and replace servername.example.com with the Fully Qualified Domain Name of the server and sample@sample.com with an email address.
- [req] distinguished_name = req_distinguished_name req_extensions = v3_req [ req_distinguished_name ] emailAddress = sample@sample.com [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = servername.example.com
Run the following command to generate the CSR
- Command Syntax
  - openssl req -config /var/opt/yarnlab/yarnman/config/yarnman-ssl.cnf -new -subj "/C=${COUNTRY}/ST=${STATE}/L=${LOCATION}/O=${ORGANIZATION}/OU=${FUNCTION}/CN=${FQDN}" \ -out /var/opt/yarnlab/yarnman/config/yarnman-ssl.csr -key /var/opt/yarnlab/yarnman/config/ssl-key.pem -passin pass:somepassword -sha512 -newkey rsa:4096
- All of the following need to be replaced
  - ${COUNTRY}
  - ${STATE}
  - ${LOCATION}
  - ${ORGANIZATION}
  - ${FUNCTION}
  - ${FQDN}
- Example
  - openssl req -config /var/opt/yarnlab/yarnman/config/yarnman-ssl.cnf -new -subj "/C=AU/ST=NSW/L=SYDNEY/O=yarnlab/OU=lab/CN=yarnman.test.yarnlab.io" \ -out /var/opt/yarnlab/yarnman/config/yarnman-ssl.csr -key /var/opt/yarnlab/yarnman/config/ssl-key.pem -passin pass:yarnman -sha512 -newkey rsa:4096
Collect CSR for signing
1. Option 1- SFTP download from /var/opt/yarnlab/upgrade/
  1. cp /var/opt/yarnlab/yarnman/config/yarnman-ssl.csr /var/opt/yarnlab/yarnman/upgrade/yarnman-ssl.csr
2. Option 2 - copy content from your ssh terminal to obtain the base64 text
  1. cat /var/opt/yarnlab/yarnman/config/yarnman-ssl.csr
Once signed certificate has been received from CA
1. Note if the certificate has intermediate CA, Extra steps will be required detailed in the step Configuring Intermediate CA Certificates
rename/move existing SSL public certificate
- mv /var/opt/yarnlab/yarnman/config/ssl-cert.cert /var/opt/yarnlab/yarnman/config/ssl-cert.cert.bk
Update public certificate
- Option 1
  upload to /tmp from your sftp program, set/validate correct permission and restart yarnman
  - mv /tmp/certname.something /var/opt/yarnlab/yarnman/config/ssl-cert.cert chown ym-yarnman-app:ym-yarnman-app-gp /var/opt/yarnlab/yarnman/config/ssl-cert.cert chmod 644 /var/opt/yarnlab/yarnman/config/ssl-cert.cert systemctl restart yarnman
- Option 2
  use nano to paste the contents of the base64 certificate
  - nano /var/opt/yarnlab/yarnman/config/ssl-cert.cert chown ym-yarnman-app:ym-yarnman-app-gp /var/opt/yarnlab/yarnman/config/ssl-cert.cert chmod 644 /var/opt/yarnlab/yarnman/config/ssl-cert.cert systemctl restart yarnman

Verification

Verify contents of CSR

openssl req -text -noout -verify -in /var/opt/yarnlab/yarnman/config/yarnman-ssl.csr 

Certificate request self-signature verify OK
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: C = AU, ST = NSW, O = yarnlab, OU = yarnlab, CN = test.tm999.yarnlan.

Verify the certificate is valid with openssl command

openssl x509 -noout -text -in /var/opt/yarnlab/yarnman/config/ssl-cert.cert

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            2c:00:00:00:28:d4:5a:73:57:37:04:7f:f1:00:00:00:00:00:28
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: DC = io, DC = yarnlab, DC = lab, CN = lab-WIN-CA
        Validity
            Not Before: Jan 10 02:35:41 2023 GMT
            Not After : Jan  9 02:35:41 2025 GMT
        Subject: C = AU, ST = NSW, L = SYDNEY, O = yarnlab, OU = lab, CN = yarnman-2.test.yarnlab.io
Lots more cert output...

Configuring Intermediate CA Certificates

Typical format for standard SSL.

/var/opt/yarnlab/yarnman/config/

ssl-cert.cert - Standard certificate sent to clients

ssl-key.pem - Private key file for checking response

In order to enable intermediate certificates we must create new directory of ca in in /var/opt/yarnlab/yarnman/config/

mkdir /var/opt/yarnlab/yarnman/config/ca

add files in order of the cert chain so the files in the directory look like

ls -lh /var/opt/yarnlab/yarnman/config/ca
1-name.crt
2-name.crt
3-name.crt

The /ca folder contains the intermediate certificates that will be loaded in order. The easiest way to achieve this is to use the naming conventions 1-, 2- etc. Each certificate must end in .crt in order to be loaded.

Once the folder is created and at least one certificate is added in the format indicated the services on the node must be restarted.

File permissions should be as follow

root@yarnman-2 [ /var/home/yarnman ]# ls -lh /var/opt/yarnlab/yarnman/config
total 60K
drwxr-xr-x 2 ym-yarnman-app ym-yarnman-app-gp 4.0K Jan 10 05:31 ca

root@yarnman-2 [ /var/home/yarnman ]# ls -lh /var/opt/yarnlab/yarnman/config/ca/1-name.crt 
-rw-r--r-- 1 ym-yarnman-app ym-yarnman-app-gp 1.3K Jan 10 05:31 /var/opt/yarnlab/yarnman/config/ca/1-name.crt

If required to change the owner and group

chown ym-yarnman-app:ym-yarnman-app-gp /var/opt/yarnlab/yarnman/config/ca
chown ym-yarnman-app:ym-yarnman-app-gp /var/opt/yarnlab/yarnman/config/ca/*.crt

If required to change the permissions

chmod 755 /var/opt/yarnlab/yarnman/config/ca
chmod 644 /var/opt/yarnlab/yarnman/config/ca/*.crt

restart yarnman

systemctl restart yarnman

Verification

root@yarnman-2 [ /var/opt/yarnlab/yarnman/config/ca ]# openssl verify -CAfile /var/opt/yarnlab/yarnman/config/ca/1-labca.crt /var/opt/yarnlab/yarnman/config/ssl-cert.cert 
/var/opt/yarnlab/yarnman/config/ssl-cert.cert: OK

If you have multiple intermediates

cat /var/opt/yarnlab/yarnman/config/ca/*.crt > /tmp/tempca.pem
openssl verify -verbose -CAfile /tmp/tempca.pem ssl-cert.cert
ssl-cert.cert: OK

openssl verify -show_chain -CAfile /tmp/tempca.pem /var/opt/yarnlab/yarnman/config/ssl-cert.cert
/var/opt/yarnlab/yarnman/config/ssl-cert.cert: OK
Chain:
depth=0: CN = something.example.com (untrusted)
depth=1: C = US, O = Let's Encrypt, CN = R3
depth=2: C = US, O = Internet Security Research Group, CN = ISRG Root X1

Photon iptables

In order to have perstitant firewall rules for docker containers, we need to populate the DOCKER-USER table, this is processed by iptables before traffic hits the host, hence we can’t apply the firewall rules directly on INPUT table (used by eth0)

In this example we will allow traffic to couchdb from ip address

10.202.30.10
10.202.30.11
10.101.10.36

You will need to su as root to modify this file.

Modify the Existing ruleset applied on startup /etc/systemd/scripts/ip4save

We need to add the table/filter :DOCKER-USER - [0:0] under the existing filter/table list and the required firewall rules at the bottom before the COMMIT

:DOCKER-USER - [0:0]
-A DOCKER-USER -i eth0 -p tcp -s 10.202.30.10,10.202.30.11,10.101.10.36 --dport 6984 -m comment --comment "Allow CouchDB Traffic - " -j RETURN
-A DOCKER-USER -i eth0 -p tcp -s 0.0.0.0/0 --dport 6984 -m comment --comment "block non replication Coucdb - " -j DROP

The File will look similar to

# init
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:DOCKER-USER - [0:0]
# Allow local-only connections
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
#keep commented till upgrade issues are sorted
#-A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A OUTPUT -j ACCEPT
-A DOCKER-USER -i eth0 -p tcp -s 10.202.30.10,10.202.30.11,10.101.10.36 --dport 6984 -m comment --comment "Allow CouchDB Traffic - " -j RETURN
-A DOCKER-USER -i eth0 -p tcp -s 0.0.0.0/0 --dport 6984 -m comment --comment "block non replication Coucdb nodes - " -j DROP
COMMIT

Reload the server for the firewall rules to take affect

If you get the syntax wrong, or don’t place the correct filters in the right place you may lock yourself out of the server as it will block all traffic in and out, you would then be required to use vmware console to console into the server to remove the firewall rules.

You can verify the ruleset with the command in a root prompt

iptables -t filter -vnL --line-numbers

some output removed from the other tables and docker internal but this shows 10.202.30.10 , 10.202.30.11, 10.101.10.36 can communicate with TCP/6984 and everything else is dropped . You can see 55 packets have been blocked, and 9 packets have been allowed from 10.202.30.11

[ /var/home/yarnman ]# iptables -t filter -vL --line-numbers
Chain INPUT (policy DROP 161 packets, 9805 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1       70  5662 ACCEPT     all  --  lo     any     anywhere             anywhere            
2      321 24962 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
3        1    64 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:22

  

Chain DOCKER-USER (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 RETURN     tcp  --  eth0    any     10.202.30.10         anywhere             tcp dpt:6984 /* Allow CouchDB Traffic -  */
2        9   732 RETURN     tcp  --  eth0    any     10.202.30.11         anywhere             tcp dpt:6984 /* Allow CouchDB Traffic -  */
3        0     0 RETURN     tcp  --  eth0    any     10.101.10.36         anywhere             tcp dpt:6984 /* Allow CouchDB Traffic -  */
4       55  3300 DROP       tcp  --  eth0    any     anywhere             anywhere             tcp dpt:6984 /* block non replication Coucdb nodes -  */
5     3591  264K RETURN     all  --  any    any     anywhere             anywhere

default ip4save

This is the default of /etc/systemd/scripts/ip4save

on the off-chance you need to rollback to it

# init
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
# Allow local-only connections
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
#keep commented till upgrade issues are sorted
#-A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A OUTPUT -j ACCEPT
COMMIT

To add other firewall rules eg allow traffic only between 3 ips to Clevins-Tang insert them above the COMMIT line eg

-A DOCKER-USER -i eth0 -p tcp -s 10.202.30.10,10.202.30.11,10.101.10.36 --dport 6984 -m comment --comment "Allow CouchDB Traffic - " -j RETURN
-A DOCKER-USER -i eth0 -p tcp -s 0.0.0.0/0 --dport 6984 -m comment --comment "block non replication Coucdb nodes - " -j DROP
-A DOCKER-USER -i eth0 -p tcp -s 10.202.30.10,10.202.30.11,10.101.10.36 --dport 6655 -m comment --comment "Allow ClevisTang Traffic - " -j RETURN
-A DOCKER-USER -i eth0 -p tcp -s 0.0.0.0/0 --dport 6655 -m comment --comment "block non ClevisTang nodes - " -j DROP
COMMIT

Final file will look like /etc/systemd/scripts/ip4save

# init
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:DOCKER-USER - [0:0]
# Allow local-only connections
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
#keep commented till upgrade issues are sorted
#-A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A OUTPUT -j ACCEPT
-A DOCKER-USER -i eth0 -p tcp -s 10.202.30.10,10.202.30.11,10.101.10.36 --dport 6984 -m comment --comment "Allow CouchDB Traffic - " -j RETURN
-A DOCKER-USER -i eth0 -p tcp -s 0.0.0.0/0 --dport 6984 -m comment --comment "block non replication Coucdb nodes - " -j DROP
-A DOCKER-USER -i eth0 -p tcp -s 10.202.30.10,10.202.30.11,10.101.10.36 --dport 6655 -m comment --comment "Allow ClevisTang Traffic - " -j RETURN
-A DOCKER-USER -i eth0 -p tcp -s 0.0.0.0/0 --dport 6655 -m comment --comment "block non ClevisTang nodes - " -j DROP
COMMIT

Logging

work in progress, some of the logging comments will be slightly different

With IPtables you need to LOG before dropping the packet, the simplest way is to duplicate the rule with the LOG jump

-A DOCKER-USER -i eth0 -p tcp -s 0.0.0.0/0 --dport 6984 -m comment --comment "block non replication Coucdb nodes - " -m limit --limit 5/min -j LOG --log-prefix "couchdb drop -"
-A DOCKER-USER -i eth0 -p tcp -s 0.0.0.0/0 --dport 6984 -m comment --comment "block non replication Coucdb nodes - " -j DROP

you can view these in dmesg as root

root@yarnman-1 [ /var/home/yarnman ]# dmesg
[   34.799506] couchdb drop -IN=eth0 OUT=br-7cee03840940 MAC=00:50:56:9f:04:4f:02:50:56:56:44:52:08:00 SRC=10.101.10.86 DST=10.222.1.4 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=61886 DF PROTO=TCP SPT=59210 DPT=6984 WINDOW=42340 RES=0x00 SYN URGP=0

Monitoring

watch can be used to repeat the same command, to watch the counters increase

root@yarnman-1 [ /var/home/yarnman ]# watch 'iptables -t filter -v -L DOCKER-USER --line-numbers -n'

Every 2.0s: iptables -t filter -v -L DOCKER-USER --line-numbers -n                                                                                                 yarnman-1: Mon Jan 16 05:04:39 2023

Chain DOCKER-USER (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 RETURN     tcp  --  eth0   *       10.202.30.10         0.0.0.0/0            tcp dpt:6984 /* Allow CouchDB Traffic -  */
2        0     0 RETURN     tcp  --  eth0   *       10.101.12.81         0.0.0.0/0            tcp dpt:6984 /* Allow CouchDB Traffic -  */
3     8670 1270K RETURN     tcp  --  eth0   *       10.101.12.82         0.0.0.0/0            tcp dpt:6984 /* Allow CouchDB Traffic -  */
4      788  115K RETURN     tcp  --  eth0   *       10.101.12.83         0.0.0.0/0            tcp dpt:6984 /* Allow CouchDB Traffic -  */
5        0     0 LOG        tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:6984 /* block non replication Coucdb nodes -  */ limit: avg 2/min burst 5 LOG flags 0 level 4 pr
efix "COUCHDB DROP-"
6        0     0 DROP       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:6984 /* block non replication Coucdb nodes -  */
7        0     0 RETURN     tcp  --  eth0   *       10.202.30.10         0.0.0.0/0            tcp dpt:6655 /* Allow ClevisTang Traffic -  */
8        0     0 RETURN     tcp  --  eth0   *       10.101.12.81         0.0.0.0/0            tcp dpt:6655 /* Allow ClevisTang Traffic -  */
9        0     0 RETURN     tcp  --  eth0   *       10.101.12.82         0.0.0.0/0            tcp dpt:6655 /* Allow ClevisTang Traffic -  */
10       0     0 RETURN     tcp  --  eth0   *       10.101.12.83         0.0.0.0/0            tcp dpt:6655 /* Allow ClevisTang Traffic -  */
11       0     0 LOG        tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:6655 /* block non ClevisTang nodes -  */ limit: avg 2/min burst 5 LOG flags 0 level 4 prefix "CL
EVISTANG DROP-"
12       0     0 DROP       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:6655 /* block non ClevisTang nodes -  */
13    865K   96M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Highlight keywords from Log and current packet counts

root@yarnman-2 [ /var/home/yarnman ]# journalctl _TRANSPORT=kernel | grep "DROP-" ; echo -e "\n#time now $(date)#\n"; iptables -t filter -v -L DOCKER-USER --line-numbers -n | grep -e "DROP "  -e "pkts"

### lots of text scrolling ###

Jan 16 01:06:33 yarnman-2 kernel: COUCHDB DROP-IN=eth0 OUT=br-7adbc3fd84ef MAC=00:50:56:9f:cb:2d:02:50:56:56:44:52:08:00 SRC=10.101.10.100 DST=10.222.1.4 LEN=52 TOS=0x02 PREC=0x00 TTL=126 ID=9481 DF PROTO=TCP SPT=50173 DPT=6984 WINDOW=64240 RES=0x00 CWR ECE SYN URGP=0 
Jan 16 01:06:33 yarnman-2 kernel: COUCHDB DROP-IN=eth0 OUT=br-7adbc3fd84ef MAC=00:50:56:9f:cb:2d:02:50:56:56:44:52:08:00 SRC=10.101.10.100 DST=10.222.1.4 LEN=52 TOS=0x02 PREC=0x00 TTL=126 ID=9482 DF PROTO=TCP SPT=50174 DPT=6984 WINDOW=64240 RES=0x00 CWR ECE SYN URGP=0 

#time now Mon Jan 16 01:31:55 AM UTC 2023#

num   pkts bytes target     prot opt in     out     source               destination         
6       18   936 DROP       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:6984 /* block non replication Coucdb nodes -  */
12       0     0 DROP       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:6655 /* block non ClevisTang nodes -  */

Yarnlab Docs

Yarnman Photon Powered (YM-PH) - Advanced Platform Configuration

Key and Configuration Encryption

Customisation

Yarnman Application Additional Ports

Enable database access for Replication

Changing private key default passphrase

Setup Couchdb Replication

Yarnman HTTP Certificate Notes

Generate CSR

Verification

Configuring Intermediate CA Certificates

Verification

Photon iptables

default ip4save

Logging

Monitoring

Related content