Manualshelf

Virtual TapeServer 6.04.03 for NonStop Servers Supplemental Installation Guide

ManualsBrandsHP ManualsServerHP NonStop G-Series
21222324252627282930
Enabling Instant DR and AutoCopy | 21
Configuring TCP/IP security
The need for security while using Instant DR becomes necessary if the communication link
between VTS servers is not completely within your network. If you do not secure the link,
others can gain access to the VTS operating system over TCP/IP from outside the corporate
network. To tighten security, you can configure IP tables to block all TCP/IP traffic going to
eth1 except SSH, RSH, and ICMP (ping and traceroute).
To configure TCP/IP security
1. On the VTS server, create the /etc/sysconfig/iptables file and open it for editing.
2. Insert the following lines:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i eth1 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 514 -j ACCEPT
-A INPUT -i eth1 -p udp -m udp --dport 514 -j ACCEPT
-A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i eth1 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m state --state INVALID -j REJECT
--reject-with icmp-port-unreachable
COMMIT
Here is an explanation of these lines:
*filter
Set the “filter” table as the table to be modified.
:INPUT ACCEPT [0:0]
Sets the INPUT chain to a default value of ACCEPT. The [0:0] parameter is the count
of packets and bytes to be set when establishing this chain.
:FORWARD ACCEPT [0:0]
Sets the FORWARD chain to a default value of ACCEPT and its packet and byte
counters to 0.
:OUTPUT ACCEPT [0:0]
Sets the OUTPUT chain to a default value of ACCEPT and its packet and byte
counters to 0.
-A INPUT -i eth1 -p tcp -m tcp --dport 22 -j ACCEPT
Allows connections on port 22 (SSH).
-A INPUT -i eth1 -p tcp -m tcp --dport 514 -j ACCEPT
-A INPUT -i eth1 -p udp -m udp --dport 514 -j ACCEPT
Allow RSH connections on UDP and TCP port 514.
-A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
Tracks the connections and allows only established connections. An established
connection is associated with a connection that has seen packets in both directions.