Skip to content

How to Limit ISCSI Initiator Name to Access

  • by

In iSCSI, we call clients as initiators. For allowing only specific initiators to access the target, we have to put all allowable initiators in the white list. Instead of using the keyword ALL, we make white lists to manage connections in order to prevent any secure accidents.

In the white list, IP addresses or hostnames are not what it want, it wants a very special information that can identify each of every client, which is iSCSI Qualified Name (IQN). The question is, how to know their IQN?

In this post, we will use FreeNAS as our iSCSI service provider to show you how to put allowable initiators (Linux clients) in the white list.

How to Check ISCSI Initiator Name

Before checking their IQN, please make sure that you have installed iSCSI initiator utility on the machines of iSCSI clients. No matter what platform you're using, healthy iSCSI initiators always have IQN.

In our case, there're two initiator groups, one is for targets which service the primary site, the other is for targets which service the standby site.

Two Primary Servers

[root@primary01 ~]# cat /etc/iscsi/initiatorname.iscsi
InitiatorName=iqn.1988-12.com.oracle:3060f4cb42ac
[root@primary02 ~]# cat /etc/iscsi/initiatorname.iscsi
InitiatorName=iqn.1988-12.com.oracle:8ce8c98a33a5

As we can see, the IQN is system-generated. Even better, you can change it, just keep it unique in your environment.

Two Standby Servers

[root@standby01 ~]# cat /etc/iscsi/initiatorname.iscsi
InitiatorName=iqn.1988-12.com.oracle:52cccd74c7c
[root@standby02 ~]# cat /etc/iscsi/initiatorname.iscsi
InitiatorName=iqn.1988-12.com.oracle:47ecf37bc7ec

Set IQN in Initiator Groups

Before putting them in the white list, two groups in FreeNAS look like this:

FreeNAS - iSCSI Initiator Group - ALL

FreeNAS - iSCSI Initiator Group - ALL

Instead of the keyword ALL, we put allowable IQN in the first field. Space and line break are acceptable to delimit clients.

FreeNAS - iSCSI Initiator Group - Set Specific Clients

FreeNAS - iSCSI Initiator Group - Set Specific Clients

After all initiator groups are configured, we can review the result.

FreeNAS - iSCSI Initiator Group - All

FreeNAS - iSCSI Initiator Group - Specific Clients

Discover iSCSI Targets

Let initiators discover all available targets from NAS.

[root@primary01 ~]# iscsiadm -m discovery -t sendtargets -p nas
192.168.10.101:3260,257 iqn.2005-10.org.freenas.ctl:primary-target
[root@primary02 ~]# iscsiadm -m discovery -t sendtargets -p nas
192.168.10.101:3260,257 iqn.2005-10.org.freenas.ctl:primary-target
[root@standby01 ~]# iscsiadm -m discovery -t sendtargets -p nas
192.168.10.101:3260,257 iqn.2005-10.org.freenas.ctl:standby-target
[root@standby02 ~]# iscsiadm -m discovery -t sendtargets -p nas
192.168.10.101:3260,257 iqn.2005-10.org.freenas.ctl:standby-target

As we can see, they can only see their allowable target.

Leave a Reply

Your email address will not be published.