Cluster I/O Protocols (CIP) Configuration and Management Manual (H06.16+, J06.05+)

ManualsBrandsHP ManualsServerHP Integrity NonStop J-Series

101

102

103

104

105

106

107

108

109

110

DescriptionClimconfig Command

Display the state of the climiptablesclimiptables -status

Display the state of the climiptables and the iptables and ip6tables

configurations

climiptables -info

Generate obeyform lines for the current iptables and ip6tables configurationsclimiptables -info -obeyform

Configuring iptables/ip6tables

The command syntax for climconfig iptables is

climconfig iptables [HP options] arguments [-force]

The command syntax for climconfig ip6tables is

climconfig ip6tables [HP options] arguments [-prov prov-name] [-force]

The two options that can be used with iptables/ip6tables are -prov prov-name and -force. Each

provider has its own iptables and ip6tables configurations, and the -prov option to specify the

provider is mandatory on CLIMs that have the MULTIPROV ON option enabled. –force, used with

a sensitive command, causes the command to bypass user confirmation.

Climconfig iptables and climconfig ip6tables configure CIP iptables and ip6tables with the same

Linux iptables and ip6tables commands and options with some limitations:

• Only INPUT chain of the ‘filter’ table is supported.

• The Linux INPUT chain is accessed indirectly via the CIP built-in chain CIP_INPUT chain. Direct

access to the Linux INPUT chain is not permitted except for the ‘-L’ command.

• The functionality of the configured iptables and ip6tables rules are controlled by the state of

climiptables. iptables and ip6tables can be configured while climiptables is disabled. The

configured iptables and ip6tables rules take no effect until climiptables is enabled.

Examples

To allow all inbound FTP traffic on all but eth2 and to allow inbound telnet traffic only on

eth2:

climcmd g6clim1 climconfig iptables -N ftp

climcmd g6clim1 climconfig iptables -A ftp -i eth2 -j REJECT

climcmd g6clim1 climconfig iptables -A CIP_INPUT -p tcp --dport 20:21 -j ftp

climcmd g6clim1 climconfig iptables -N telnetchain

climcmd g6clim1 climconfig iptables -A telnetchain ! -i eth2 -j REJECT

climcmd g6clim1 climconfig iptables -A CIP_INPUT -p tcp --dport 23 -j telnetchain

Following is the output for these commands:

\MYSYS.$SYSTEM.STARTUP 3> CLIMCMD g6clim1 climstatus -o t

climiptables Enabled: Yes

----------------------------------------------------------------------

IPTABLES Configuration:

Chain INPUT (policy ACCEPT 11 packets, 889 bytes)

pkts bytes target prot opt in out source destination

7636 1970K ACCEPT all -- any any g6clim1 anywhere

656K 228M ACCEPT all -- eth0 any anywhere anywhere

204 13045 CIP_INPUT all -- any any anywhere anywhere

146 9781 CIP_INPUT_p all -- any any anywhere anywhere

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 1166 packets, 220K bytes)

pkts bytes target prot opt in out source destination

110 CIP Configuration and Management