Console Server & Router User Manual 277
- If at some point in the future you chose to connect a modem for dial-in out-of-band access the procedure can be
reversed with the following commands.
# /bin/config --del=config.console.debug # /bin/config --run=console # reboot
15.4 IP- Filtering
The console server uses the iptables utility to provide a stateful firewall of LAN traffic. By default rules are automatically
inserted to allow access to enabled services, and serial port access via enabled protocols. The commands which add
these rules are contained in configuration files:
/etc/config/ipfilter
This is an executable shell script which is run whenever the LAN interface is brought up and whenever modifications are
made to the iptables configuration as a result of CGI actions or the config command line tool.
The basic steps performed are as follows:
- The current iptables configuration is erased
- If a customized IP-Filter script exists it is executed and no other actions are performed
- Standard policies are inserted which will drop all traffic not explicitly allowed to and through the system
- Rules are added which explicitly allow network traffic to access enabled services e.g. HTTP, SNMP etc
- Rules are added which explicitly allow traffic network traffic access to serial ports over enabled protocols e.g. Telnet,
SSH and raw TCP
If the standard system firewall configuration is not adequate for your needs it can be bypassed safely by creating a file at
/etc/config/filter-custom containing commands to build a specialized firewall. This firewall script will be run whenever the
LAN interface is brought up (including initially) and will override any automated system firewall settings.
Below is a simple example of a custom script which creates a firewall using the iptables command. Only incoming
connections from computers on a C-class network 192.168.10.0 will be accepted when this script is installed at
/etc/config/filter-custom. Note that when this script is called any preexisting chains and rules have been flushed from
iptables:
#/bin/sh
# Set default policies to drop any incoming or routable traffic
# and blindly accept anything from the 192.168.10.0 network.
iptables –-policy FORWARD DROP
iptables –-policy INPUT DROP
iptables –-policy OUTPUT ACCEPT
# Allow responses to outbound connections back in.
iptables –-append INPUT \
–-match state –-state ESTABLISHED,RELATED –-jump ACCEPT
# Explicitly accept any connections from computers on
# 192.168.10.0/24
iptables –-append INPUT –-source 192.168.10.0/24 –-jump ACCEPT
There’s good documentation about using the iptables command at the Linux netfilter website
http://netfilter.org/documentation/index.html.There are also many high-quality tutorials and HOWTOs available via the
netfilter website, in particular peruse the tutorials listed on the netfilter HOWTO page.
15.5 SNMP Status Reporting
All console servers contain an SNMP Service (snmpd) as well which can provide status information on demand. snmpd is
an SNMP agent which binds to a port and awaits requests from SNMP management software. Upon receiving a request,
it processes the request(s), collects the requested information and/or performs the requested operation(s) and returns the
information to the sender.
To Next Page
Loading...
Need help?
General
