Purpose

Shorewall provides a NAT Masquerade rule that allows the compute nodes to access networks outside the cluster via the head node.

If you are okay with the compute nodes not having access to external networks or aren’t using the head node as the default gateway for the compute nodes, then you may follow these procedures to disable Shorewall on your head node.

Steps

1. First, run the following commands on your head node to prevent BCM from automatically restarting Shorewall:

# cmsh
% device use master
% services
% set shorewall autostart no
% set shorewall6 autostart no
% commit

NOTE:  If the cluster’s head node has any network-mounted file systems (e.g., NFS) mounted, you will want to unmount those file systems from the head node before stopping the shorewall and shorewall6 services. Otherwise, you may be unable to log in to the head node’s console due to the operating system hanging on trying to access a network-mounted file system and you may be locked out of the head node when following the procedures below.

2. Next, stop and disable both Shorewall services using BCM.  Please note that if you stop the services outside of BCM (e. g., via the systemctl utility), then BCM will restart those services during a future reboot of the head node:

# cmsh
% device use master
% services
% stop shorewall
% stop shorewall6

3. Afterward, flush the iptables rules and set the default policy on each chain to be ACCEPT:

# iptables -F INPUT && iptables -P INPUT ACCEPT
# iptables -F FORWARD && iptables -P FORWARD ACCEPT
# iptables -F OUTPUT && iptables -P OUTPUT ACCEPT