About cookies on this site Our websites require some cookies to function properly (required). In addition, other cookies may be used with your consent to analyze site usage, improve the user experience and for advertising. For more information, please review your options. By visiting our website, you agree to our processing of information as described in IBM’sprivacy statement. To provide a smooth navigation, your cookie preferences will be shared across the IBM web domains listed here.
How To
Summary
This document will demonstrate how to use IPSec filter to block all access to telnetd port 23 and allow just one client telnet access.
The target server name and IP: lab154 10.99.13.154
The telnet client name and IP: lab174 9.40.205.174
After a successful configuration only lab174 can successful telnet on lab154.
All other connections to target server telnetd port 23 will be blocked.
Steps
Note: Prior to configuring IPSec filters, make sure that you have console access working.
This will come in handy in case you accidentally block your remote connection.
This will come in handy in case you accidentally block your remote connection.
Start ipsec filters with default settings on telnet server:
lab154:/home/Tuvo:# smit ipsec4
-> Start/Stop IP Security
-> Start IP Security
Start IP Security
Type or select values in entry fields.
Press Enter AFTER making all desired changes.
[Entry Fields]
Start IP Security [Now and After Reboot]
Deny All Non_Secure IP Packets [no]Check active ipsec filter table using 'lsfilt' command:
lab154:/home/Tuvo:# lsfilt -v4 -a
Beginning of IPv4 filter rules.
Rule 1:
*** Dynamic filter placement rule for IKE tunnels ***
Logging control : no
Rule 2:
Rule action : permit
Source Address : 0.0.0.0
Source Mask : 0.0.0.0
Destination Address : 0.0.0.0
Destination Mask : 0.0.0.0
Source Routing : yes
Protocol : all
Source Port : any 0
Destination Port : any 0
Scope : both
Direction : both
Logging control : no
Fragment control : all packets
Tunnel ID number : 0
Interface : all
Auto-Generated : no
Expiration Time : 0
Description :
End of IPv4 filter rules.Another way to list active filters:
lab154:/home/Tuvo:# lsfilt -v4 -O -a
1|*** Dynamic filter placement rule for IKE tunnels ***|no
2|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|all|any|0|any|0|both|both|no|all packets|0|all|0|||Note: Rule 2 is the default filter rule.
The default filter rule is the last rule in the filter table.
This default rule is taken if a packet doesn't match any other rules before it.
The default filter rule is the last rule in the filter table.
This default rule is taken if a packet doesn't match any other rules before it.
Configure a filter to deny all access to telnet service:
lab154:/home/Tuvo:# smit ipsec4
-> Advanced IP Security Configuration
-> Configure IP Security Filter Rules
-> Add an IP Security Filter Rule
Add an IP Security Filter Rule
Type or select values in entry fields.
Press Enter AFTER making all desired changes.
[Entry Fields]
* Rule Action [permit]
* IP Source Address [0.0.0.0]
* IP Source Mask [0.0.0.0]
IP Destination Address [0.0.0.0]
IP Destination Mask [0.0.0.0]
* Apply to Source Routing? (PERMIT/inbound only) [yes]
* Protocol [all]
* Source Port / ICMP Type Operation [any]
* Source Port Number / ICMP Type [0]
* Destination Port / ICMP Code Operation [eq]
* Destination Port Number / ICMP Type [023]
* Routing [both]
* Direction [inbound]
* Log Control [no]
* Fragmentation Control [0]
* Interface [all]
Expiration Time (sec) []
Pattern Type [none]
Pattern / Pattern File []
Description []Activate/update filter:
Go back to the "Advanced IP Security Configuration" SMIT menu.
-> Activate/Update/Deactivate IP Security Filter Rule
-> Activate / Update
-> Activate/Update/Deactivate IP Security Filter Rule
-> Activate / Update
Note: Each time you make changes to your filter table, an update/activate is required to effect the changes.
Check filter table:
lab154:/home/Tuvo:# lsfilt -v4 -a
Beginning of IPv4 filter rules.
Rule 1:
*** Dynamic filter placement rule for IKE tunnels ***
Logging control : no
Rule 2:
Rule action : deny
Source Address : 0.0.0.0
Source Mask : 0.0.0.0
Destination Address : 0.0.0.0
Destination Mask : 0.0.0.0
Source Routing : yes
Protocol : all
Source Port : any 0
Destination Port : eq 23
Scope : both
Direction : inbound
Logging control : no
Fragment control : all packets
Tunnel ID number : 0
Interface : all
Auto-Generated : no
Expiration Time : 0
Description :
Rule 3:
Rule action : permit
Source Address : 0.0.0.0
Source Mask : 0.0.0.0
Destination Address : 0.0.0.0
Destination Mask : 0.0.0.0
Source Routing : yes
Protocol : all
Source Port : any 0
Destination Port : any 0
Scope : both
Direction : both
Logging control : no
Fragment control : all packets
Tunnel ID number : 0
Interface : all
Auto-Generated : no
Expiration Time : 0
Description :
End of IPv4 filter rules.Note: Rule 2 above will deny all packets from all IPs to all IPs on all interfaces with destination port 23 (telnetd).
If a packet doesn't match Rule 2, it will be permitted based on the default rule.
If a packet doesn't match Rule 2, it will be permitted based on the default rule.
Test new ipsec filter rule by trying to telnet into the server from lab174:
lab174:/home/Tuvo:# traceroute lab154
trying to get source for lab154
source should be 9.40.205.174
traceroute to lab154.aus.stglabs.ibm.com (10.99.13.154) from 9.40.205.174 (9.40.205.174), 30 hops max
outgoing MTU = 1500
1 dsolab200 (9.3.4.200) 1 ms 0 ms 0 ms
2 lab154 (10.99.13.154) 0 ms 0 ms 0 ms
lab174:/home/Tuvo:# tn 10.99.13.154
Trying...
telnet: connect: A remote host did not respond within the timeout period.Note: Telnet attempt from lab174 to lab154 fails as expected.
Telnet attempts from other clients will fail as well.
Telnet attempts from other clients will fail as well.
Add a new filter rule to allow telnet client lab174 (9.40.205.174) access:
lab154:/home/Tuvo:# smit ips4_conf_filter
-> Add an IP Security Filter Rule
Add an IP Security Filter Rule
Type or select values in entry fields.
Press Enter AFTER making all desired changes.
[Entry Fields]
* Rule Action [permit]
* IP Source Address [9.40.205.174]
* IP Source Mask [255.255.255.255]
IP Destination Address [0.0.0.0]
IP Destination Mask [0.0.0.0]
* Apply to Source Routing? (PERMIT/inbound only) [yes]
* Protocol [all]
* Source Port / ICMP Type Operation [any]
* Source Port Number / ICMP Type [0]
* Destination Port / ICMP Code Operation [eq]
* Destination Port Number / ICMP Type [23]
* Routing [both]
* Direction [both]
* Log Control [no]
* Fragmentation Control [0]
* Interface [all]
Expiration Time (sec) []
Pattern Type [none]
Pattern / Pattern File []
Description []Activate and update the filter table.
List filter table:
lab154:/home/Tuvo:# lsfilt -v4 -a
Beginning of IPv4 filter rules.
Rule 1:
*** Dynamic filter placement rule for IKE tunnels ***
Logging control : no
Rule 2:
Rule action : deny
Source Address : 0.0.0.0
Source Mask : 0.0.0.0
Destination Address : 0.0.0.0
Destination Mask : 0.0.0.0
Source Routing : yes
Protocol : all
Source Port : any 0
Destination Port : eq 23
Scope : both
Direction : inbound
Logging control : no
Fragment control : all packets
Tunnel ID number : 0
Interface : all
Auto-Generated : no
Expiration Time : 0
Description :
Rule 3:
Rule action : permit
Source Address : 9.40.205.174
Source Mask : 255.255.255.255
Destination Address : 0.0.0.0
Destination Mask : 0.0.0.0
Source Routing : yes
Protocol : all
Source Port : any 0
Destination Port : eq 23
Scope : both
Direction : both
Logging control : no
Fragment control : all packets
Tunnel ID number : 0
Interface : all
Auto-Generated : no
Expiration Time : 0
Description :
Rule 4:
Rule action : permit
Source Address : 0.0.0.0
Source Mask : 0.0.0.0
Destination Address : 0.0.0.0
Destination Mask : 0.0.0.0
Source Routing : yes
Protocol : all
Source Port : any 0
Destination Port : any 0
Scope : both
Direction : both
Logging control : no
Fragment control : all packets
Tunnel ID number : 0
Interface : all
Auto-Generated : no
Expiration Time : 0
Description :
End of IPv4 filter rules.
lab154:/home/Tuvo:# lsfilt -O -v4 -a
1|*** Dynamic filter placement rule for IKE tunnels ***|no
2|deny|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|all|any|0|eq|23|both|inbound|no|all packets|0|all|0|||
3|permit|9.40.205.174|255.255.255.255|0.0.0.0|0.0.0.0|yes|all|any|0|eq|23|both|both|no|all packets|0|all|0|||
4|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|all|any|0|any|0|both|both|no|all packets|0|all|0|||Try telnet test again from 9.40.205.174:
lab174:/home/Tuvo:# tn 10.99.13.154
Trying...
telnet: connect: A remote host did not respond within the timeout period.
Still fails ....Note: The telnet connection attempt from lab174 is failing because the deny rule (Rule 2) is ahead of the permit rule (Rule 3).
The incoming telnet packet will match Rule 2 and take the "deny" action.
The incoming telnet packet will match Rule 2 and take the "deny" action.
To fix this we need to change the filter table order so that the permit rule for lab174 comes BEFORE the deny all rule for port 23.
Change order of rule #2 and #3:
lab154:/home/Tuvo:# smit ipsec4
-> Advanced IP Security Configuration
-> Configure IP Security Filter Rules
-> Move IP Security Filter RulesProceed to move the deny rule for port 23 so that it is below the permit rule for port 23.
Then activate and udpate filter table.
List filters:
lab154:/home/Tuvo:# lsfilt -O -v4 -a
1|*** Dynamic filter placement rule for IKE tunnels ***|no
2|permit|9.40.205.174|255.255.255.255|0.0.0.0|0.0.0.0|yes|all|any|0|eq|23|both|both|no|all packets|0|all|0|||
3|deny|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|all|any|0|eq|23|both|inbound|no|all packets|0|all|0|||
4|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|all|any|0|any|0|both|both|no|all packets|0|all|0|||
lab154:/home/Tuvo:# lsfilt -v4 -a
Beginning of IPv4 filter rules.
Rule 1:
*** Dynamic filter placement rule for IKE tunnels ***
Logging control : no
Rule 2:
Rule action : permit
Source Address : 9.40.205.174
Source Mask : 255.255.255.255
Destination Address : 0.0.0.0
Destination Mask : 0.0.0.0
Source Routing : yes
Protocol : all
Source Port : any 0
Destination Port : eq 23
Scope : both
Direction : both
Logging control : no
Fragment control : all packets
Tunnel ID number : 0
Interface : all
Auto-Generated : no
Expiration Time : 0
Description :
Rule 3:
Rule action : deny
Source Address : 0.0.0.0
Source Mask : 0.0.0.0
Destination Address : 0.0.0.0
Destination Mask : 0.0.0.0
Source Routing : yes
Protocol : all
Source Port : any 0
Destination Port : eq 23
Scope : both
Direction : inbound
Logging control : no
Fragment control : all packets
Tunnel ID number : 0
Interface : all
Auto-Generated : no
Expiration Time : 0
Description :
Rule 4:
Rule action : permit
Source Address : 0.0.0.0
Source Mask : 0.0.0.0
Destination Address : 0.0.0.0
Destination Mask : 0.0.0.0
Source Routing : yes
Protocol : all
Source Port : any 0
Destination Port : any 0
Scope : both
Direction : both
Logging control : no
Fragment control : all packets
Tunnel ID number : 0
Interface : all
Auto-Generated : no
Expiration Time : 0
Description :
End of IPv4 filter rules.Try another telnet test from lab174:
lab174:/home/Tuvo:# tn 10.99.13.154
Trying...
Connected to 10.99.13.154.
Escape character is '^T'.
telnet (lab154.aus.stglabs.ibm.com)
...Note: The telnet connection is good this time because the packet from lab174 matches the permit rule.
A telnet attempt from any other source IP will fail, as the packets will match the deny rule.
All other packets not related to port 23 are permitted based on default rule.
A telnet attempt from any other source IP will fail, as the packets will match the deny rule.
All other packets not related to port 23 are permitted based on default rule.
Related Information
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB08","label":"Cognitive Systems"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"ARM Category":[{"code":"a8m0z000000cvziAAA","label":"Security-\u003EIPSEC\/IKE"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
More support for:
AIX
Component:
Security->IPSEC/IKE
Software version:
All Versions
Document number:
7169768
Modified date:
25 September 2024
UID
ibm17169768
Manage My Notification Subscriptions