The purpose of this article is to show how to enable IP filtering in AIX . This can be achieved using two methods. Both the methods are given here.
1. Using Smitty
2. Using Command Line
Listing IPSEC rules defined
lsfilt -a -v4 –O
lsfilt -a -v4 –O
lsfilt -a -v6 –O
Implementation – Setting up rules
Using Smitty
To begin, enable IP filtering by enabling IPSec in the server. For this, use the ipsec4 smitty fastpath: and follow the steps given below
Move cursor to desired item and press Enter.
Start/Stop IP Security
Basic IP Security Configuration
---> Advanced IP Security Configuration
Move cursor to desired item and press Enter.
---> Configure IP Security Filter Rules
List Active IP Security Filter Rules
Activate/Update/Deactivate IP Security Filter Rule
List Encryption Modules
Start/Stop IP Security Filter Rule Log
Start/Stop IP Security Tracing
Backup IKE Database
Restore IKE Database
Initialize IKE Database
View IKE XML DTD
Move cursor to desired item and press Enter.
List IP Security Filter Rules
---> Add an IP Security Filter Rule
Change IP Security Filter Rules
Move IP Security Filter Rules
Export IP Security Filter Rules
Import IP Security Filter Rules
Delete IP Security Filter Rules
* Rule Action [permit] +
* IP Source Address [xxx.xxx.xxx.xxx]
* IP Source Mask [255.255.255.255] --- will vary as per ur source ip
IP Destination Address [xx.xx.xx.xx]
IP Destination Mask [255.255.255.0] --- will vary as per ur dest. ip
* Apply to Source Routing? (PERMIT/inbound only) [yes] +
* Protocol [all] +
* Source Port / ICMP Type Operation [any] +
* Source Port Number / ICMP Type [0] #
* Destination Port / ICMP Code Operation [eq] +
* Destination Port Number / ICMP Type [9990] ---- is an example #
* Routing [both] +
* Direction [both] +
* Log Control [no] +
* Fragmentation Control [0] +
* Interface [en3] ---- Specify the interface name
Expiration Time (sec) [0] #
Pattern Type [none] +
Pattern / Pattern File []
Description []
Note:
- For each IP Address above you need to create 2 filters:
- For the smit panel example change the line * Destination Port Number / ICMP Type [9990] needs to have entries created for both ports i.e for example if the port numbers are [9990] and [9991] you need to create filters with 2 port numbers.
Using Command line
genfilt -v 4 -a P -s xxx.xxx.xxx.xxx -m xxx.xxx.xxx.xxx -d xx.xx.xx.xx -M xxx.xxx.xxx.xxx -Y -c all -o any -p 0 -O eq -P 9991 r L -w O -l N -f Y -i all
genfilt -v 4 -a P -s xxx.xxx.xxx.xxx -m xxx.xxx.xxx.xxx -d xx.xx.xx.xx -M xxx.xxx.xxx.xxx -Y -c all -o any -p 0 -O eq -P 9990 r L -w O -l N -f Y -i all
-v IPversion -- IPV4 or IPV6
-a Action -- Permit /Deny traffic
-s Source IP
-m Source subnet mask
-d Destination IP
-M Destination subnet mask
-Y This field only applies to permit rules
-c Protocol ---udp, icmp, icmpv6, tcp, tcp/ack, ospf, ipip, esp, ah, and all
-o Specifies the source port or ICMP type operation .The default value is any .The valid values are: lt, le, gt, ge, eq, neq, and any.
-p Specifies the source port or ICMP type
-O Specifies the destination port or ICMP code operation .The default value is any .The valid values are: lt, le, gt, ge, eq, neq, and any.
-P Specifies the destination port/ICMP code
-r Specifies Routing .L (orginated from locat host) , R (forward packet) B (Both) . The default value is B.
-w Specifies if rules apply to incoming packets (I), outgoing packets (O), or both (B). The default value is B.
-l Specifies log control. Must be specified as Y(yes) or N (No).
-f Specifies the fragmentation control. all packets (Y), fragment headers and unfragmented packets only (H), fragments and fragment headers only (O), or unfragmented packets only (N). Default (Y)
-i Specifies interface to which rule applies . The examples of the name are: all, tr0, en0, lo0, and pp0.
Note:
- For each IP Address above you need to create 2 filters:
- For the command line procedure the -P option needs to have an entry created for both port 9990 and one for port 9991.
- Always make sure the "deny" portions are at the end of the list. Incase the newly added rule is in the bottom of the list you need to move them to the top ,i.e above the deny rule.
- If the permit rule is listed after the deny rule it might not function as desired.
This can be achieved using "mvfilt"
For example:
In the below given scenario we will be moving the deny rule to list after the permit rule.
88|deny|0.0.0.0|0.0.0.0|192.168.215.40|255.255.254.0|yes|all|any|0|eq|99991|both|both|no|all packets|0|en3|0|||
89|permit|192.168.215.43|255.255.254.0|192.168.171.14|255.255.255.255|yes|all|any|0|eq|9990|both|both|no|all packets|0|en3|0|||
mvfilt -v 4 -p 88 -n 89
Activating IPSEC rules
Once after adding the rules to ipsec table , run the below command to update the table. This needs to be run inorder to make the rule fully functional.
mkfilt -v4 –u
No comments:
Post a Comment