DX NetOps Manager

Expand all | Collapse all

CAPC 2.8.0 and iptables

Jump to Best Answer
  • 1.  CAPC 2.8.0 and iptables

    Posted 12-16-2016 03:21 AM

    Hello,

    I need to protect the Linux servers for performance management with iptables for a customer. I've also managed to do that right down to the Performance Center.

    Unfortunately I do not get it, that after the activation of iptables the access by HTTP / HTTPS on the servers functions.

    Has anyone already hedged the servers with iptables? And can help me?

    thank you

    My config is

    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    -A INPUT -p icmp -j ACCEPT
    -A INPUT -i lo -j ACCEPT
    -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
    -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
    -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
    -A INPUT -m state --state NEW -m tcp -p tcp --dport 8182 -j ACCEPT
    -A INPUT -m state --state NEW -m tcp -p tcp --dport 8382 -j ACCEPT
    -A INPUT -j REJECT --reject-with icmp-host-prohibited
    -A FORWARD -j REJECT --reject-with icmp-host-prohibited

    #Data Aggregator
    -A INPUT -p tcp -s 192.168.0.26 -d  192.168.0.4 --sport 513:65535 --dport  8381 -m state --state NEW,ESTABLISHED -j ACCEPT
    -A INPUT -p tcp -s 192.168.0.26 -d  192.168.0.4 --sport 513:65535 --dport  8581 -m state --state NEW,ESTABLISHED -j ACCEPT
    -A OUTPUT -p tcp -s 192.168.0.4 -d  192.168.0.26 --sport 513:65535 --dport 8381 -m state --state NEW,ESTABLISHED -j ACCEPT
    -A OUTPUT -p tcp -s 192.168.0.4 -d  192.168.0.26 --sport 513:65535 --dport 8581 -m state --state NEW,ESTABLISHED -j ACCEPT

     

    # DNS , NTP Server, SNMP
    -A OUTPUT -p udp --sport 1024:65535 --dport 53 -d 10.30.0.34 -j ACCEPT
    -A OUTPUT -p udp --sport 123 --dport 123 -d 10.2.10.10 -j ACCEPT
    -I INPUT -p udp -m udp -s 192.168.0.36 -d  192.168.0.4 --dport 161 -j ACCEPT
    -A INPUT -p icmp --icmp-type echo-request -s 192.168.0.36 --j ACCEPT
    -A OUTPUT -p icmp --icmp-type echo-reply  -s 192.168.0.36 --j ACCEPT

     

    thanks for help

    Andreas Burger



  • 2.  Re: CAPC 2.8.0 and iptables

    Posted 12-19-2016 02:42 PM

    Hello Andreas,

     

    My apologies but I'm a small bit confused by this request. Based on your configuration posted above it appears you've properly configured iptables to allow access via the ports defined.

     

    It looks like your config is properly allowing HTTP and HTTPS traffic through the usual 443, 8182 and 8382 ports.

     

    What is the goal of this effort? What protocols and traffic are meant to be blocked here?

     

    If we're attempting to block systems vs. protocols an ACL in the network might be a better solution.

     

    Thanks,

    Mike



  • 3.  Re: CAPC 2.8.0 and iptables
    Best Answer

    Posted 12-20-2016 01:31 AM

    Hi Mike,

    The goal is the customer request an external firewall and also the server directly to control the access.
    I found the problem. I have added some lines:

    -A OUTPUT -s 192.168.0.4 -d 192.168.0.4 -j APPENDICES
    -A INPUT -s 192.168.0.4 -d 192.168.0.4 -j APPENDICES

    192.168.0.4 is the server's own IP address


    The main problem, however, is that the command "service iptables restart" does not seem to function quite clean. After I have done the restart with start and stop it worked at once :-)

    Thanks for your help

    Andreas