Tuesday, 16 August 2022

SAN Sw telnet disable

Clone the existing Ipfilter

    Remove the rule to allow traffic on port 23

    Define new rule to deny traffic on Telnet port 23

    Save and activate the new iptables configuration

 

Table of Contents

 

    View existing iptable configuration

    Clone existing configuration

    Modify the cloned ipfilters

    Save configuration and activate ipfilters

    Removing an ipfilter

    Sources

 

View existing iptable configuration

 

To show the current ip filter rules, enter: ipfilter –show

 

STORFOS:FID128:storcom> ipfilter --show

 

Name: default_ipv4, Type: ipv4, State: active

Rule    Source IP                               Protocol   Dest Port         Action

1     any                                            tcp       22            permit

2     any                                            tcp       23            permit

3     any                                            tcp       80            permit

4     any                                            tcp      443            permit

5     any                                            udp      161            permit

6     any                                            udp      123            permit

7     any                                            tcp      600 - 1023     permit

8     any                                            udp      600 - 1023     permit

 

Name: default_ipv6, Type: ipv6, State: active

Rule    Source IP                               Protocol   Dest Port         Action

1     any                                            tcp       22            permit

2     any                                            tcp       23            permit

3     any                                            tcp       80            permit

4     any                                            tcp      443            permit

5     any                                            udp      161            permit

6     any                                            udp      123            permit

7     any                                            tcp      600 - 1023     permit

8     any                                            udp      600 - 1023     permit

 

Clone existing configuration

 

Go ahead and clone both iptable configurations. In the example above, they are named: default_ipv4 and default_ipv6. I will give the clones a new name: BlockTelnet_ipv4 and BlockTelnet_ipv6.

 

ipfilter --clone BlockTelnet_ipv4 -from default_ipv4

ipfilter --clone BlockTelnet_ipv6 -from default_ipv6

 

Save the clones you just created

 

ipfilter --save BlockTelnet_ipv4

ipfilter --save BlockTelnet_ipv6

 

Modify the cloned ipfilters

 

Next, we will remove rule 2 which permits traffic on port 23, then define a new rule that denies traffic on port 23.

 

To remove Rule 2 on the cloned ip tables, enter:

 

ipfilter --delrule BlockTelnet_ipv4 -rule 2

ipfilter --delrule BlockTelnet_ipv6 -rule 2

 

Use the following command to deny traffic on TCP port 23

 

ipfilter --addrule BlockTelnet_ipv4 -rule 2 -sip any -dp 23 -proto tcp -act deny

ipfilter --addrule BlockTelnet_ipv6 -rule 2 -sip any -dp 23 -proto tcp -act deny

 

Save configuration and activate ipfilters

 

To save the modified ipfilter clones, enter:

 

ipfilter --save BlockTelnet_ipv4

ipfilter --save BlockTelnet_ipv6

 

Before you activate, you can double-check the new configuration by entering the command:

 

ipfilter --show BlockTelnet_ipv4

ipfilter --show BlockTelnet_ipv6

 

Finally, you can activate the new ipfilters

 

ipfilter --activate BlockTelnet_ipv4

ipfilter --activate BlockTelnet_ipv6

 

Removing an ipfilter

 

Alternatively, if you think need need to clean up the ipfilter policies, it is very easy to do it. Use the following command:

 

STORFOS:FID128:storcom> ipfilter --delete BlockTelnet_ipv6

This will delete the IP filter policy.

ARE YOU SURE (yes, y, no, n): [no] y

No comments:

Post a Comment