_____________________________________________________________________
724-746-5500 | blackbox.com
Page 250
-
If you are not using a modem on the DB9 console port and instead want to connect to it directly via a Null Modem
cable, enable verbose mode, which allows you to see the standard linux start-‐up messages. Follow these commands:
# /bin/config -‐-‐set=config.console.debug=on # /bin/config -‐-‐run=console # reboot
-
If at some point in the future you chose to connect a modem for dial-‐in out-‐of-‐band access, you can reverse the
procedure with the following commands.
# /bin/config -‐-‐del=config.console.debug # /bin/config -‐-‐run=console # reboot
15.4 IP-‐ Filtering
The
console server
uses the
iptables
utility to provide a stateful firewall of LAN traffic. By default, rules are automatically
inserted to allow access to enabled services, and serial port access
via
enabled protocols. The commands that add these
rules are contained in configuration files:
/etc/config/ipfilter
This is an executable shell script that runs whenever the LAN interface is brought up and whenever modifications are
made to the
iptables
configuration as a result of CGI actions or the
config
command line tool.
The basic steps performed are as follows:
-
The current
iptables
configuration is erased.
-
If a customized IP-‐Filter script exists it is executed and no other actions are performed.
-
Standard policies are inserted that will drop all traffic not explicitly allowed to and through the system.
-
Rules are added which explicitly allow network traffic to access enabled services
,
for example, TTP, SNMP
, etc.
-
Rules are added that explicitly allow traffic network traffic access to serial ports over enabled protocols
e.g.
Telnet,
SSH and raw TCP.
If the standard system firewall configuration is not adequate for your needs you can bypass it safely by creating a file at
/etc/config/filter-‐custom
containing commands to build a specialized firewall. This firewall script will run whenever the
LAN interface is brought up (including initially) and will override any automated system firewall settings.
Below is a simple example of a custom script that creates a firewall using the
iptables
command. Only incoming
connections from computers on a C-‐class network 192.168.10.0 will be accepted when this script is installed at
/etc/config/filter-‐custom.
Note that when this script is called, any preexisting chains and rules have been flushed from
iptables
:
#/bin/sh
# Set default policies to drop any incoming or routable traffic
# and blindly accept anything from the 192.168.10.0 network.
iptables –-‐policy FORWARD DROP
iptables –-‐policy INPUT DROP
iptables –-‐policy OUTPUT ACCEPT
# Allow responses to outbound connections back in.
iptables –-‐append INPUT \
–-‐match state –-‐state ESTABLISHED,RELATED –-‐jump ACCEPT
# Explicitly accept any connections from computers on
# 192.168.10.0/24
iptables –-‐append INPUT –-‐source 192.168.10.0/24 –-‐jump ACCEPT
