In iSCSI, we call clients as initiators. For allowing only specific initiators to access the target, we have to put all allowable initiators in the white list. Instead of using the keyword ALL, we make white lists to manage connections in order to prevent any secure accidents.
In the white list, IP addresses or hostnames are not what it want, it wants a very special information that can identify each of every client, which is iSCSI Qualified Name (IQN). The question is, how to know their IQN?
In this post, we will use FreeNAS as our iSCSI service provider to show you how to put allowable initiators (Linux clients) in the white list.
How to Check ISCSI Initiator Name
Before checking their IQN, please make sure that you have installed iSCSI initiator utility on the machines of iSCSI clients. No matter what platform you're using, healthy iSCSI initiators always have IQN.
In our case, there're two initiator groups, one is for targets which service the primary site, the other is for targets which service the standby site.
Two Primary Servers
[root@primary01 ~]# cat /etc/iscsi/initiatorname.iscsi
InitiatorName=iqn.1988-12.com.oracle:3060f4cb42ac
[root@primary02 ~]# cat /etc/iscsi/initiatorname.iscsi
InitiatorName=iqn.1988-12.com.oracle:8ce8c98a33a5
As we can see, the IQN is system-generated. Even better, you can change it, just keep it unique in your environment.
Two Standby Servers
[root@standby01 ~]# cat /etc/iscsi/initiatorname.iscsi
InitiatorName=iqn.1988-12.com.oracle:52cccd74c7c
[root@standby02 ~]# cat /etc/iscsi/initiatorname.iscsi
InitiatorName=iqn.1988-12.com.oracle:47ecf37bc7ec
Set IQN in Initiator Groups
Before putting them in the white list, two groups in FreeNAS look like this:
Instead of the keyword ALL, we put allowable IQN in the first field. Space and line break are acceptable to delimit clients.
After all initiator groups are configured, we can review the result.
Discover iSCSI Targets
Let initiators discover all available targets from NAS.
[root@primary01 ~]# iscsiadm -m discovery -t sendtargets -p nas
192.168.10.101:3260,257 iqn.2005-10.org.freenas.ctl:primary-target
[root@primary02 ~]# iscsiadm -m discovery -t sendtargets -p nas
192.168.10.101:3260,257 iqn.2005-10.org.freenas.ctl:primary-target
[root@standby01 ~]# iscsiadm -m discovery -t sendtargets -p nas
192.168.10.101:3260,257 iqn.2005-10.org.freenas.ctl:standby-target
[root@standby02 ~]# iscsiadm -m discovery -t sendtargets -p nas
192.168.10.101:3260,257 iqn.2005-10.org.freenas.ctl:standby-target
As we can see, they can only see their allowable target.