IP Filter Chains for Security
An IP filter is a chain of rules for the treatment of packets. Chains can be INPUT, OUTPUT, or FORWARD. Chains have a policy (or default target) of either ACCEPT or DROP. The policy is applied to a packet if it reaches the end of the chain. Each rule in the chain specifies the packets that match.
The following configuration examples use the ip filter chain and ipv6 filter chain commands. For details on these commands, refer to ip and ipv6 in the reference section.
For examples of using IP filter chains, refer to the following:
| • | Close Open Ports |
| • | Management Port Security |
| • | NTP Server Security |
| • | Allowing IGMP Traffic |
Note: The IP filtering capabilities of these CLI commands are provided by iptables and ip6tables in the Linux kernel.
Close Open Ports
With the exception of ports used for Web and SSH, ports are normally closed. The following configuration example closes ports that may be open.
To close open ports, execute the following commands:
|
Step |
Description |
Command |
|||
|
Configure a rule for the chain and specify the destination port numbers. Append tail adds a new rule after all existing rules. Dup-delete specifies that after adding a rule, delete all other existing rules that are duplicates of it. |
(config) # ip filter chain INPUT rule append tail target DROP dup-delete dest-port 256 in-intf eth0 protocol udp |
|||
|
Enable IP filtering. |
(config) # ip filter enable |
|||
|
Display IP filter configuration |
(config) # show ip filter |
Management Port Security
Management port security lets you restrict the exchange of packets through the management port by creating an access control list to restrict user and SNMP access.
Note: Exercise caution when using the following configuration example so as not to interfere with communications through the backplane or within a cluster.
Getting Started
It is recommended that you connect to the console as follows:
(config) # serial baudrate 115200
(config) # serial enable
During configuration, you may not be able to access the node through SSH.
If for any reason, you are locked out of the node, execute the following commands:
(config) # ip filter chain INPUT policy ACCEPT
(config) # no ip filter enable
Configure Management Port Security
In this sample configuration, there are five unique ports to access the host so there are five IP addresses you want available to the node. This sample configuration configures an INPUT chain with a DROP policy, which means that any incoming packets will be rejected unless they have the IP source addresses specified in the INPUT chain rule (any packets that do not match a rule in the INPUT chain are dropped).
Note: Once you execute the ip filter enable command, only the configured IP addresses will have access.
To implement management port security, execute the following commands:
|
Step |
Description |
Command |
|||
|
Configure a rule for the chain and specify the first to the fifth source IP addresses. (Append tail adds a new rule after all existing rules.) |
(config) # ip filter chain INPUT rule append tail target ACCEPT source-addr 10.50.22.130 255.255.255.255 |
|||
|
Configure a policy for the chain. DROP means that any packets not matching a rule in the INPUT chain will be dropped. |
(config) # ip filter chain INPUT policy DROP |
|||
|
Enable IP filtering. |
(config) # ip filter enable |
|||
|
Display IP filter configuration |
(config) # show ip filter |
Displaying Management Port Security
Use the following command to display the IP filter chain:
(config) # show ip filter
Packet filtering for IPv4: enabled
Apply filters to bridges: no
Active IPv4 filtering rules (omitting any not from configuration):
Chain 'INPUT'
# Target Proto Source Destination Other
1 ACCEPT icmp all all
2 ACCEPT all all all inb lo
3 ACCEPT all 10.50.22.130/32 all
4 ACCEPT all 10.50.22.131/32 all
Policy: DROP
Chain 'OUTPUT'
No rules.
Policy: ACCEPT
Chain 'FORWARD'
No rules.
Policy: DROP
This sample configuration does not affect any output packets (such as those generated by a trap). However, any packets coming from an NTP server, for example, will be blocked unless the IP address is added to the chain (as a source address). Refer to NTP Server Security for another configuration example.
NTP Server Security
With NTP server security, you can permit access to the NTP server.
Note: Exercise caution when using the following configuration example so as not to interfere with communications through the backplane or within a cluster.
Configure NTP Server Security
This sample configuration is for an out-of-band cluster environment. You configure the management IP addresses of the permitted hosts or cluster nodes and the workstation hosts that are permitted to access the nodes.
To implement NTP server security, execute the following commands:
|
Step |
Description |
Command |
|||
|
Permit an NTP server by specifying the NTP port number and IP address of an Internet time server. |
(config) # ip filter chain INPUT rule append tail target ACCEPT protocol udp source-port 123 source-addr 129.6.15.0 /24 |
|||
|
Permit multicast Domain Name System (mDNS) for the out-of-band cluster. |
(config) # ip filter chain INPUT rule append tail target ACCEPT dest-addr 224.0.0.251 /32 |
|||
|
Permit GigaSMART card communication for the out-of-band cluster. |
(config) # ip filter chain INPUT rule append tail target ACCEPT dest-addr 12.19.148.0 /24 |
|||
|
Configure the IP addresses of the permitted hosts (cluster nodes). |
(config) # ip filter chain INPUT rule append tail target ACCEPT source-addr 10.115.25.79 /32 |
|||
|
Configure the IP addresses of the permitted workstation hosts. |
(config) # ip filter chain INPUT rule append tail target ACCEPT source-addr 10.40.21.140 /32 |
|||
|
Configure a policy for the chain. DROP means that any packets not matching a rule in the INPUT chain will be dropped. |
(config) # ip filter chain INPUT policy DROP |
|||
|
Enable IP filtering. |
(config) # ip filter enable |
|||
|
Display IP filter configuration |
(config) # show ip filter |
Allowing IGMP Traffic
IP filter chains can also be used to allow IGMP protocol traffic in a clustering environment. Refer to the “Best Practices for OOB Clusters with IGMP Snooping” section in the GigaVUE-FM User’s Guide for details.
Document INFORMATION 
