unixadmin.free.fr just another IBM blog and technotes backup

15fév/13

Simple AIX ipv4 filtering configuration – memo

In this example :
- One server with IP address (10.0.0.1) configured on en0 logical interface
IPSEC Rules :
- PERMIT SSH request to server (10.0.0.1) from only one client (10.0.0.2)
- DENY and "LOG" all other SSH connections
- DENY ALL packets

Prerequisites

To start firewall in AIX you need few packages to be installed:

- bos.msg.en_US.net.ipsec
- bos.net.ipsec.keymgt
- bos.net.ipsec.rte
- clic.rte.kernext
- clic.rte.lib

Recommandations
- Use TTY or VTY connections for the first AIX filtering configuration.
- add client hostname in /etc/hosts server
- Use hostname in genfilt rules for this example.

- check IP host resolution

# host server
server is 10.0.0.1

# host client
client is 10.0.0.2

Prepared syslog to record logs of rejected packets

# echo "local4.debug /var/adm/ipsec.log rotate size 100k files 4" >> /etc/syslog.conf
# touch /var/adm/ipsec.log
# refresh -s syslogd

Backup old rules

# lsfilt -v4 >> /tmp/lsfilt.bkp

Example of IPSec rules script

#!/usr/bin/ksh

# Remove all user rules
rmfilt -v 4 -n all

# Activate rules
mkfilt -v 4 -u

# Stop ipv4 LOG
mkfilt -v 4 -g stop

# DENY ALL
mkfilt -v 4 -u -z D

# PERMIT SSH request from client to server on en0 interface
genfilt -v 4 -a P -s client -d server -g N -c tcp -o gt -p 1023 -O eq -P 22 -r L -w I -l N -f Y -i en0

# PERMIT SSH  answer from server to client on en0 interface
genfilt -v 4 -a P -s server -d client -g N -c tcp/ack -o eq -p 22 -O gt -P 1023 -r L -w O -l N -f Y -i en0

# DENY and LOG all other SSH request on en0 interface
genfilt -v 4 -a D -s 0.0.0.0 -m 0.0.0.0 -d 0.0.0.0 -M 0.0.0.0 -g N -c tcp -O eq -P 22 -r L -w I -l Y -f Y -i en0

# Activate rules
mkfilt -v 4 -u

# start ipv4 LOG to /var/adm/ipsec.log
mkfilt -v4 -g start

# Display Rules list
lsfilt -v4 -O

In ipsec.log trace below you can see that 10.0.0.5 is not authorised to request SSH server.

#tail -f /var/adm/ipsec.log

Feb 15 16:16:57 server local4:notice ipsec_logd: Filter logging daemon ipsec_logd (level 2.20) initialized at 16:16:57 on 02/15/13
Feb 15 16:17:10 server local4:info ipsec_logd: #:4 R:d  I:10.0.0.1 S:10.0.0.5 D:10.0.0.1 P:tcp/ack SP:34804 DP:22 R:l I:en0 F:n T:0 L:44

Source:

http://www.ibm.com/developerworks/aix/library/au-aixfiltering/index.html

http://it.toolbox.com/blogs/unix-swing/sample-firewall-in-aix-48146

Taggé comme: Aucun commentaire