Could you could use iptables directly to blacklist or whitelist some client IPs ?
- Alex On Fri, Feb 5, 2016 at 12:53 PM, Talluri, Chandra <[email protected]> wrote: > Adam > Thanks, that would be very helpful. I was thinking there should be something > in Zookeeper configuration itself > > -Thanks > > -----Original Message----- > From: Adam Milne-Smith [mailto:[email protected]] > Sent: Friday, February 05, 2016 2:22 PM > To: [email protected] > Subject: Re: Can we restrict any client connections to Zookeeper ensemble > > I've been looking to do the same thing so have started running a HAProxy on > each ZooKeeper host in transparent tcp mode in front of the ZooKeeper client > port. > > The choice of transparent mode was so that I can still map session activity > to source IP in ZooKeeper. HAProxy will spoof the client ip so the ZooKeeper > is none the wiser that HAProxy sits in between. It requires some iptables, ip > rules and ip route config to direct outgoing packets from ZooKeeper back > through the HAProxy. > > This allows for blacklisting ips and protecting against DOS attacks by rate > limiting new connections by IP and by block connections from bad actors that > are too write intensive. > > If this sounds like a useful to anyone I can outline the approach in a bit > more detail. > > Thanks, > Adam > > > On 5 Feb 2016 19:07, "Talluri, Chandra" <[email protected]> > wrote: >> >> Is it possible to restrict any client connections to Zookeeper ensemble >> based on IP address. Not just setting Acl's on znode? >> >> (i.e) I should be able to connect to zookeeper ensemble either using >> zkCli.sh or any client only from certain ip addresses >> >> -Thanks in advance
