Ip- Filtering - Tripp Lite B092-016 Owner's Manual

Chapter 15: Advanced Configuration

15.4 IP- Filtering

The Console Server uses the iptables utility to provide a stateful firewall of LAN traffic. By default rules are automatically
inserted to allow access to enabled services, and serial port access via enabled protocols. The commands which add these
rules are contained in configuration files:
/etc/config/ipfilter
This is an executable shell script which is run whenever the LAN interface is brought up and whenever modifications are made
to the iptables configuration as a result of CGI actions or the config command line tool.
The basic steps performed are as follows:
• The current iptables configuration is erased
• If a customized IP-Filter script exists it is executed and no other actions are performed
• Standard policies are inserted which will drop all traffic not explicitly allowed to and through the system
• Rules are added which explicitly allow network traffic to access enabled services e.g. HTTP , SNMP etc
• Rules are added which explicitly allow traffic network traffic access to serial ports over enabled protocols e.g. Telnet, SSH
and raw TCP
If the standard system firewall configuration is not adequate for your needs it can be bypassed safely by creating a file at
/etc/config/filter-custom containing commands to build a specialized firewall. This firewall script will be run whenever the LAN
interface is brought up (including initially) and will override any automated system firewall settings.
Below is a simple example of a custom script which creates a firewall using the iptables command. Only incoming connections
from computers on a C-class network 192.168.10.0 will be accepted when this script is installed at /etc/config/filter-custom.
Note that when this script is called any preexisting chains and rules have been flushed from iptables:
#/bin/sh
# Set default policies to drop any incoming or routable traffic
# and blindly accept anything from the 192.168.10.0 network.
iptables –-policy FORWARD DROP
iptables –-policy INPUT DROP
iptables –-policy OUTPUT ACCEPT
# Allow responses to outbound connections back in.
iptables –-append INPUT \
–-match state –-state ESTABLISHED,RELATED –-jump ACCEPT
# Explicitly accept any connections from computers on
# 192.168.10.0/24
iptables –-append INPUT –-source 192.168.10.0/24 –-jump ACCEPT
There's good documentation about using the iptables command at the Linux netfilter website http://netfilter.org/documentation/
index.html. There are also many high-quality tutorials and HOWTOs available via the netfilter website, in particular peruse the
tutorials listed on the netfilter HOWTO page.
213