Virtual TapeServer 6.02.00 Installation Guide

HP Virtual TapeServer Installation Guide 47 HP Part Number 528654-006 Sept 2006

vi /etc/rc.d/rc.local

Add this line:

sh /etc/iptables_script &

When rebooted, all TCP/IP traffic will be blocked except SSH (Secure IDR), RSH (IDR),

& ICMP (ping and traceroute).

Examples

These items show the commands for each of the blocked services:

iptables -A INPUT -p tcp -i eth1 --dport 22 -j ACCEPT

Allows connections through port 22 (SSH).

iptables -A INPUT -p tcp -i eth1 --dport 873 -j ACCEPT

iptables -A INPUT -p udp -i eth1 --dport 873 -j ACCEPT

Allows connections through port 873 (RSH) UDP and TCP/IP.

iptables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT

Tracks the connections and only allows Established connections through. An

Established connection is associated with a connection that has seen packets in both

directions.

iptables -A INPUT -p tcp -m state --state RELATED -j ACCEPT

Only allows connections through that are of a Related state. A Related connection is a

new connection that is associated with an existing connection.

iptables -A INPUT -p icmp -j ACCEPT

Allows ICMP traffic through (ping and traceroute). Not required but is helpful when

network troubleshooting.

iptables -A INPUT -i eth1 -j REJECT

Rejects all traffic with the exception of the preceding rules.

iptables -A INPUT -p tcp -m state --state INVALID -j REJECT

Sends a rejected notification to the invalid sender. You may also change this to DROP

to drop the traffic without a rejection notification.

If these preliminary results are successful, you are ready to initiate and run Instant/DR or

AutoCopy. You can find user instructions in the Operations and Administrative Guide, P/N

528654-002 on page 28.