Firewall IPTables
IPTables running on FMADIO Capture systems
FW: 7650+
IPTables the linux statefull firewall software runs on the FMADIO devices. By default iptables is disabled / ACCEPT for everything. In some scenarios a tighter security policy may be needed
The iptables command works same on a standard Linux system. Please refer to the following link for documentation
Required Rules
FMADIO uses nginx and fcgi backens as well as proxy pass settings. As such IPTABLES requires an INPUIT localhost ACCEPT rule such as the following.
which can be added as follows
Without this INPUT ACCEPT rule the FMADIO GUI dashboards and status settings can not be retrieved.
Persistent Configuration
After configuring the IPTABLES setup on the FMADIO Packet Capture device, the settings will be lost each time the system is rebooted.
We use iptables-save and iptables-restore command with the configuration file located
To save the current state run
This will generate a the looks like the following. This is a baseline recommended setting for SSH, HTTP and HTTPS access only.
To remove persistent IPTABLES setting, delete the /opt/fmadio/etc/iptables,conf file and reboot the system
IPMI BMC Firewall
The firewall on the IPMI/BMC is a bit trickier, as there's no direct access to iptables and manipulation needs to be done using a very unfriendly ipmitool raw access.
IPMI does have firewall manipulation GUI but its impossible to use due to how it works. Theres no way to set a Policy on INPUT rules, instead you need to drop everything and build up the chain. Below is the final iptables rules we want to create.
As you can see its a bit bastardized.. but theres no choice as each rule is always added to the top of chain.
Our goal is to DROP everything, except SSH, HTTPS and IPMITOOL traffic.
1) Reset IPMI BMC Firewall
Start by resetting the BMC firewall state entirely. This effectively resets iptables to the default state
And then confirm this by listing the total number of Firewall rules as follows
The value returned should be 00 indicating there are NO custom firewall rules.
NOTE: This can be used to clear/reset firewall settings if a mistake is made
2) Drop everything
Next we need to drop everything, as we are building the rules backwards. This is also the reason we cant use the GUI. It wont let you set a network of 0.0.0.0/0 and once you set that the GUI is no longer accessible.
As such we need to use ipmitool on the FMADIO Packet Capture device directly as we build up the rules.
The command above adds the drop everything rule to the system, this equates to the following in iptables.
Can confirm its working correctly by checking the total number of firewall rules as follows. The returned value should be 1
3) Enable SSH access
Next we will add SSH access to the firewall rules. This allows SMASH or shell access to the BMC device itself.
The following command opens TCP Port 22 (0x16 0x00 == 22 in hex bigedian format)
This adds the following iptables rule
Then confirm there are 2 firewall rules enabled.
At this point you can SSH into the BMC to confirm access is working correctly
4) Enable HTTPS access
Next add HTTPS access enabling the IPMI BMC Web client to be accessed.
This equates to the following iptables rules
At this point the IPMI BMC Webpage can be used such as the following
5) Add ipmitool access
Finally add ipmitool access which is on UDP port 623
And the related iptables rule
This enable ipmitool to work over the network, which can be extremely critical and helpful when troubleshooting problems. Such as the following
Conclusion
While its quite cumbersome to use ipmitool raw mode to add and remove all these filters, the net result is a fairly secure BMC locked down with standard linux iptables.
Any questions or trouble please contact support.
Last updated
Was this helpful?