Customizing the IP-Filter | StarTech.com ECS0016 guide

Instruction Manual

The basic steps performed are as follows:

a)The current iptables configuration is erased.

b)If a customized IP-Filter script exists it is executed and no other actions are performed.

c)Standard policies are inserted which will drop all traffic not explicitly allowed to and through the system.

d)Rules are added which explicitly allow network traffic to access enabled services (e.g. HTTP, SNMP etc.)

e)Rules are added which explicitly allow traffic network traffic access to serial ports over enabled protocols e.g. Telnet, SSH and raw TCP.

Customizing the IP-Filter:

/etc/config/filter-custom

If the standard system firewall configuration is not adequate for your needs it can be bypassed safely by creating a file at /etc/config/filter- custom containing commands to build a specialized firewall. This firewall script will be run whenever the LAN interface is brought up (including initially) and will override any automated system firewall settings.

Below is a simple example of a custom script which creates a firewall using the iptables command. Only incoming connections from computers on a C-class network 192.168.10.0 will be accepted when this script is installed at /etc/config/filter-custom (Note that when this script is called any preexisting chains and rules have been flushed from iptables):

#/bin/sh

#Set default policies to drop any incoming or routable traffic

#and blindly accept anything from the 192.168.10.0 network. iptables –-policy FORWARD DROP

iptables –-policy INPUT DROP iptables –-policy OUTPUT ACCEPT

#Allow responses to outbound connections back in.

iptables –-append INPUT \

112

Image 119

StarTech.com ECS0016 manual Customizing the IP-Filter, Etc/config/filter-custom

Contents

ECS0016 FCC Compliance Statement Table of Contents Serial Port and Network Host Configuration Alerts and Logging 105 132 Introduction FeaturesPackage Contents AC power socket Initial ConfigurationPower Connection 192.168.0.1 Management Console Connection Click Start Run ARPPing IP Address AssignmentPage Select System Administration Administrator Password On the System IP menu Network IP address System Services Telnet Https Base Ping MetaConnect Communications Software PuTTY SSHTerm Serial Port and Network Host Configuration Configuring Serial Ports Common Settings Console Server Mode Page SSH RFC2217 TCP Accumulation Period SDT ModePower Strip Mode Terminal Server Mode Local Ethernet LAN ECS0016 Serial Bridging ModeSyslog Add / Edit Users Page Select Serial & Network Users & Groups AuthenticationAuthentication Configuration Network Hosts Network IP Address Trusted NetworksSelect Serial & Network Trusted Networks Subnet Mask Click Apply Serial Port CascadingPage # ssh remhost To define and configure a Slave Please note Page RPC Connection Remote Power Control RPCPage RPC Status RPC Alerts User Power Management Managed UPS Connections Uninterruptible Power Supply Control UPS Click Add UPS Groups Configure UPS Powering the Console Server Page Monitor managedups@192.168.0.1 1 username password slave Configuring Powered Computers to Monitor a Managed UPS UPS Status UPS Alerts Overview of Network UPS Tools NUT Page Environmental Monitoring Connecting the EMD Click Add Alerts & Logging Alerts Environmental Alerts Environmental Status OoB Dial-In access Failover and Out-of-Band Dial Access Check the Enable Dial In Access box Configure Dial In PPP Select PAP, CHAP, MSCHAPv2 or None and click Apply Set up earlier Windows clients Using The MetaConnect clientSet up Windows XP/ 2003 client Set up Linux clients Page Telnet or SSH connection to serially attached devices Secure Tunneling & MetaConnect Network MetaConnect for OoB Connection to the Gateway To configure MetaConnect for OoB access Poff networkconnection Pon networkconnection Importing and exporting preferences MetaConnect Public Key AuthenticationTo make the OoB connection using MetaConnect PuTTYgen OpenSSH OpenSSH Windows Setting up MetaConnect for Remote Desktop access Set up MetaConnect Serial Ports on ECS0016 SSH port forward over the ECS0016 Serial Port Email alerts Enable SMTP, Snmp and/or NagiosAlerts and Logging Nagios Alerts Configure AlertsSnmp alerts Select Alerts & Logging SnmpPage Serial Port Logging Remote Log Storage Power Control Page Configuring Ipmi Power Management Configuring Serial Port Power Strips User Power Management Configuring Browser Controlled Power Strips Nagios overview Nagios Integration Distributed ECS0016 console servers Central management and setting up MetaConnect for NagiosCentral Nagios server Clients MetaConnect Nagios setup involves the following stepsSet Up a Central Nagios Server Managed Hosts Set up distributed ECS0016 console serversCentral Site Remote Site Nagios Server Network Check Prefer NRPE, Nrpe Enabled and Nrpe Command Arguments Click Console Server Mode, and select Logging Level HostClick New Check and select Check TCP. Select Port Select Serial Port from the Serial & Network menu Click Connection Alert Enable Nagios on the ECS0016 Enable Nrpe monitoring Configure selected Network Hosts for Nagios monitoring Enable Nsca monitoringSelect System Nagios and check Nsca Enabled Configure selected Serial Ports for Nagios monitoring Configure the upstream Nagios monitoring host System Management System Administration and Reset Firmware Firmware Upgrades Select the Enable NTP checkbox on the Network Time Protocol Configure Date and Time Status Reports Port Access and Active UsersSelect Status Port Access Support Reports Statistics Syslog Device Management Power ManagementSelect Manage Power Management Select Manage Terminal Serial Port Terminal Connection Port Log Management Basic Configuration Linux Commands Power up the ECS0016 and connect the terminal device Linux Command line Description Config Tool SyntaxRun all registered configurators. This Administration Configuration Network Time Protocol Date and Time ConfigurationManually Change Clock Settings Time Zone Network ConfigurationIP Configuration Dhcp Secondary DNS IP Configuration StaticDisable Dhcp Default Gateway # /bin/config --run=dial-in Dial-in Configuration Services Configuration Serial Port Configuration Raw TCP via LAN Disabled Supported Protocol ConfigurationTelnet Access LAN Disabled SSH Access LAN Enabled Trusted Networks Config.users.total Username cifsuser Event Logging ConfigurationPassword secret Remote Serial Port Log Storage Alert Configuration # /bin/config --run=eventlog MetaConnect host TCP Ports MetaConnect Host Configuration Pmshell Advanced ConfigurationPmshell Commands Advanced Portmanager Pmusers Pmchat # pmusers Portmanager Daemon External Scripts and Alerts Signals 109 Accessing the Console Port Raw Access to Serial PortsAccess to Serial Ports IP Filtering Enabling Boot Messages on the ConsoleStandard IP-Filter configuration Etc/config/ipfilter Customizing the IP-Filter Etc/config/filter-custom Etc/config/snmpd.conf Modifying Snmp Configuration To set the Manager Address field Adding more than one Snmp server PowerMan Power Strip Control Synopsis Target Specification Pmpower Adding new RPC devices Speedbaud rate/speed charsizecharacter size/charsize Term Meaning Glossary of Terms Used Chap Intranet Internet MAC address Key lifetimes Net mask NAT Router Radius TCP/IP address SOL UTP Telnet Micrel KS8695P controller Technical Specifications RJ45 Connector PinoutWiring 131 Limitation of Liability Technical Support Warranty Information