Clone the existing Ipfilter
Remove the rule to allow traffic on port 23
Define new rule to deny traffic on Telnet port 23
Save and activate the new iptables configuration
Table of Contents
View existing iptable configuration
Clone existing configuration
Modify the cloned ipfilters
Save configuration and activate ipfilters
Removing an ipfilter
Sources
View existing iptable configuration
To show the current ip filter rules, enter: ipfilter –show
STORFOS:FID128:storcom> ipfilter --show
Name: default_ipv4, Type: ipv4, State: active
Rule Source IP Protocol Dest Port Action
1 any tcp 22 permit
2 any tcp 23 permit
3 any tcp 80 permit
4 any tcp 443 permit
5 any udp 161 permit
6 any udp 123 permit
7 any tcp 600 - 1023 permit
8 any udp 600 - 1023 permit
Name: default_ipv6, Type: ipv6, State: active
Rule Source IP Protocol Dest Port Action
1 any tcp 22 permit
2 any tcp 23 permit
3 any tcp 80 permit
4 any tcp 443 permit
5 any udp 161 permit
6 any udp 123 permit
7 any tcp 600 - 1023 permit
8 any udp 600 - 1023 permit
Clone existing configuration
Go ahead and clone both iptable configurations. In the example above, they are named: default_ipv4 and default_ipv6. I will give the clones a new name: BlockTelnet_ipv4 and BlockTelnet_ipv6.
ipfilter --clone BlockTelnet_ipv4 -from default_ipv4
ipfilter --clone BlockTelnet_ipv6 -from default_ipv6
Save the clones you just created
ipfilter --save BlockTelnet_ipv4
ipfilter --save BlockTelnet_ipv6
Modify the cloned ipfilters
Next, we will remove rule 2 which permits traffic on port 23, then define a new rule that denies traffic on port 23.
To remove Rule 2 on the cloned ip tables, enter:
ipfilter --delrule BlockTelnet_ipv4 -rule 2
ipfilter --delrule BlockTelnet_ipv6 -rule 2
Use the following command to deny traffic on TCP port 23
ipfilter --addrule BlockTelnet_ipv4 -rule 2 -sip any -dp 23 -proto tcp -act deny
ipfilter --addrule BlockTelnet_ipv6 -rule 2 -sip any -dp 23 -proto tcp -act deny
Save configuration and activate ipfilters
To save the modified ipfilter clones, enter:
ipfilter --save BlockTelnet_ipv4
ipfilter --save BlockTelnet_ipv6
Before you activate, you can double-check the new configuration by entering the command:
ipfilter --show BlockTelnet_ipv4
ipfilter --show BlockTelnet_ipv6
Finally, you can activate the new ipfilters
ipfilter --activate BlockTelnet_ipv4
ipfilter --activate BlockTelnet_ipv6
Removing an ipfilter
Alternatively, if you think need need to clean up the ipfilter policies, it is very easy to do it. Use the following command:
STORFOS:FID128:storcom> ipfilter --delete BlockTelnet_ipv6
This will delete the IP filter policy.
ARE YOU SURE (yes, y, no, n): [no] y
No comments:
Post a Comment