Configure Globus Toolkit in a DMZ behind NAT

This page is not strictly related with Weka4WS but contains material which you may find interesting if you are not familiar with Globus Toolkit and you are willing to set up a Grid where to run Weka4WS on. This tutorial assumes that you have already installed CentOS 5.1 and Globus Toolkit on your machine. Let’s assume we have installed Globus Toolkit on a machine in a DMZ which has its own public IP but is NATted to the outside world from a private, internal network. We assume that the machine is known as pippo.pluto.org, which resolves as 160.100.100.111 to the outside world and as 192.168.100.111 inside the DMZ. The grid-ftp server tells its external client to talk to the *internal* (unreachable) IP address 192.168.100.111, rather than to the *external* (reachable) IP address 160.100.100.111 (which is NATted to 192.168.100.111). Thus a globus-url-copy from the outside world to pippo.pluto.org hangs. Configuring the server to use the -hostname argument allows external clients to successfully use the gridftp server, but any connection coming from inside the DMZ will hang. In order to have both the connections from inside and from outside the DMZ work properly, we need to add an IP alias to the network interface. Let’s see how we do it in details:

  • Configure Postgres:
    vim /var/lib/pgsql/data/pg_hba.conf

    set the public external IP for the entry of the user “globus”, and database “rftDatabase”:

    host rftDatabase "globus" "160.100.100.111" 255.255.255.255 md5

    save and exit, then run:

    service postgresql restart
  • edit the GridFTP configuration:
    vim /etc/xinetd.d/gridftp

    edit the server_args line as follows:

    server_args = -i -hostname pippo.pluto.org

    save and exit, then run:

    service xinetd restart
  • set an IP alias to the network interface:
    cd /etc/sysconfig/network-scripts/
    cp ifcfg-eth0 ifcfg-eth0:1

    then edit both files and set the ifcfg-eth0 with the *external* IP and ifcfg-eth0:1 with the *internal* IP; more precisely you will have to modify the BROADCAST, IPADDR and NETWORK parameters in both files and set DEVICE=eth0:1 in the ifcfg-eth0:1 file;

  • you also need to edit your firewall settings in order to take into account both the internal and external IP address;
  • in some systems you also need to perform the following operations in in order to be able to access the Internet from that machine:
    vim /etc/sysconfig/network

    add the following line at the end of the file:

    GATEWAY=192.168.0.254

    where 192.168.0.254 is the IP address of your gateway.

At this page you may found another workaround which has been used to solve this problem. Errors reports and suggestions are more than welcome. Please leave a comment if you have faced and solved a problem which is not mentioned here or even only to say whether this tutorial has been of any help to you.

Comments are closed.