IP Filter Chains for Security

An IP filter is a chain of rules for the treatment of packets. Chains can be INPUT, OUTPUT, or FORWARD. Chains have a policy (or default target) of either ACCEPT or DROP. The policy is applied to a packet if it reaches the end of the chain. Each rule in the chain specifies the packets that match.

The following configuration examples use the ip filter chain and ipv6 filter chain commands. For details on these commands, refer to ip and ipv6 in the reference section.

For examples of using IP filter chains, refer to the following:

■   Close Open Ports
■   Management Port Security
■   NTP Server Security
■   Allowing IGMP Traffic

Note:  The IP filtering capabilities of these CLI commands are provided by iptables and ip6tables in the Linux kernel.

Close Open Ports

With the exception of ports used for Web and SSH, ports are normally closed. The following configuration example closes ports that may be open.

To close open ports, execute the following commands:

Step

Description

Command
1.    

Configure a rule for the chain and specify the destination port numbers.

Append tail adds a new rule after all existing rules.

Dup-delete specifies that after adding a rule, delete all other existing rules that are duplicates of it.

(config) # ip filter chain INPUT rule append tail target DROP dup-delete dest-port 256 in-intf eth0 protocol udp

(config) # ip filter chain INPUT rule append tail target DROP dup-delete dest-port 512 in-intf eth0 protocol udp

(config) # ip filter chain INPUT rule append tail target DROP dup-delete dest-port 111 in-intf eth0 protocol udp
2.  

Enable IP filtering.

(config) # ip filter enable
3.  

Display IP filter configuration

(config) # show ip filter

Management Port Security

Management port security lets you restrict the exchange of packets through the management port by creating an access control list to restrict user and SNMP access.

Note:  Exercise caution when using the following configuration example so as not to interfere with communications through the backplane or within a cluster.

Getting Started

It is recommended that you connect to the console as follows:

(config) # serial baudrate 115200

(config) # serial enable

During configuration, you may not be able to access the node through SSH.

If for any reason, you are locked out of the node, execute the following commands:

(config) # ip filter chain INPUT policy ACCEPT

(config) # no ip filter enable

Configure Management Port Security

In this sample configuration, there are five unique ports to access the host so there are five IP addresses you want available to the node. This sample configuration configures an INPUT chain with a DROP policy, which means that any incoming packets will be rejected unless they have the IP source addresses specified in the INPUT chain rule (any packets that do not match a rule in the INPUT chain are dropped).

Note:  Once you execute the ip filter enable command, only the configured IP addresses will have access.

To implement management port security, execute the following commands:

Step

Description

Command
1.    

Configure a rule for the chain and specify the first to the fifth source IP addresses. (Append tail adds a new rule after all existing rules.)

(config) # ip filter chain INPUT rule append tail target ACCEPT source-addr 10.50.22.130 255.255.255.255

(config) # ip filter chain INPUT rule append tail target ACCEPT source-addr 10.50.22.131 255.255.255.255

(config) # ip filter chain INPUT rule append tail target ACCEPT source-addr 10.50.22.132 255.255.255.255

(config) # ip filter chain INPUT rule append tail target ACCEPT source-addr 10.50.22.133 255.255.255.255

(config) # ip filter chain INPUT rule append tail target ACCEPT source-addr 10.50.22.134 255.255.255.255
2.  

Configure a policy for the chain. DROP means that any packets not matching a rule in the INPUT chain will be dropped.

(config) # ip filter chain INPUT policy DROP
3.  

Permit GigaSMART card communication for the out-of-band cluster.

(config) # ip filter chain INPUT rule append tail target ACCEPT dest-addr 10.50.22.130 255.255.255.255

(config) # ip filter chain INPUT rule append tail target ACCEPT source-addr 10.50.22.130 255.255.255.255
4.  

Configure the IP addresses of the permitted hosts (cluster nodes).

(config) # ip filter chain INPUT rule append tail target ACCEPT source-addr 10.50.22.130 255.255.255.255

(config) # ip filter chain INPUT rule append tail target ACCEPT source-addr 10.50.22.130 255.255.255.255

(config) # ip filter chain INPUT rule append tail target ACCEPT source-addr 10.50.22.130 255.255.255.255

(config) # ip filter chain INPUT rule append tail target ACCEPT source-addr 10.50.22.130 255.255.255.255

(config) # ip filter chain INPUT rule append tail target ACCEPT source-addr 10.50.22.130 255.255.255.255

(config) # ip filter chain INPUT rule append tail target ACCEPT source-addr 10.50.22.130 255.255.255.255

5.

 

Configure a policy for the chain. DROP means that any packets not matching a rule in the INPUT chain will be dropped.

(config) # ip filter chain INPUT policy DROP

6.

Enable IP filtering.

(config) # ip filter enable

7.

Display IP filter configuration

(config) # show ip filter

Displaying Management Port Security

Use the following command to display the IP filter chain:

(config) # show ip filter

Packet filtering for IPv4: enabled
Apply filters to bridges: no
Active IPv4 filtering rules (omitting any not from configuration):
Chain 'INPUT'
  #  Target  Proto   Source               Destination         Other
  1  ACCEPT  icmp    all                  all
  2  ACCEPT  all     all                  all                 inb lo
  3  ACCEPT  all     10.50.22.130/32      all
  4  ACCEPT  all     10.50.22.131/32      all
Policy: DROP
Chain 'OUTPUT'
 No rules.
Policy: ACCEPT
Chain 'FORWARD'
 No rules.
Policy: DROP

This sample configuration does not affect any output packets (such as those generated by a trap). However, any packets coming from an NTP server, for example, will be blocked unless the IP address is added to the chain (as a source address). Refer to NTP Server Security for another configuration example.

NTP Server Security

With NTP server security, you can permit access to the NTP server.

Note:  Exercise caution when using the following configuration example so as not to interfere with communications through the backplane or within a cluster.

Configure NTP Server Security

This sample configuration is for an out-of-band cluster environment. You configure the management IP addresses of the permitted hosts or cluster nodes and the workstation hosts that are permitted to access the nodes.

To implement NTP server security, execute the following commands:

Step

Description

Command
1.    

Permit an NTP server by specifying the NTP port number and IP address of an Internet time server.

(config) # ip filter chain INPUT rule append tail target ACCEPT protocol udp source-port 123 source-addr 129.6.15.0 /24
2.  

Permit multicast Domain Name System (mDNS) for the out-of-band cluster.

(config) # ip filter chain INPUT rule append tail target ACCEPT dest-addr 224.0.0.251 /32
3.  

Permit GigaSMART card communication for the out-of-band cluster.

(config) # ip filter chain INPUT rule append tail target ACCEPT dest-addr 12.19.148.0 /24

(config) # ip filter chain INPUT rule append tail target ACCEPT source-addr 12.19.148.0 /24
4.  

Configure the IP addresses of the permitted hosts (cluster nodes).

(config) # ip filter chain INPUT rule append tail target ACCEPT source-addr 10.115.25.79 /32

(config) # ip filter chain INPUT rule append tail target ACCEPT source-addr 10.115.25.80 /32

(config) # ip filter chain INPUT rule append tail target ACCEPT source-addr 10.115.25.81 /32

(config) # ip filter chain INPUT rule append tail target ACCEPT source-addr 10.115.25.82 /32

(config) # ip filter chain INPUT rule append tail target ACCEPT source-addr 10.115.25.83 /32

(config) # ip filter chain INPUT rule append tail target ACCEPT source-addr 10.115.25.84 /32
5.  

Configure the IP addresses of the permitted workstation hosts.

(config) # ip filter chain INPUT rule append tail target ACCEPT source-addr 10.40.21.140 /32

(config) # ip filter chain INPUT rule append tail target ACCEPT source-addr 10.40.21.85 /32

(config) # ip filter chain INPUT rule append tail target ACCEPT source-addr 10.115.122.36 /32
6.  

Configure a policy for the chain. DROP means that any packets not matching a rule in the INPUT chain will be dropped.

(config) # ip filter chain INPUT policy DROP
7.  

Enable IP filtering.

(config) # ip filter enable
8.  

Display IP filter configuration

(config) # show ip filter

Allowing IGMP Traffic

IP filter chains can also be used to allow IGMP protocol traffic in a clustering environment. Refer to the “Best Practices for OOB Clusters with IGMP Snooping” section in the GigaVUE Fabric Management Guide for details.