Seagate ST150176LC Manuale Utente Scaricare il pdf (Pagina 7)

epic4 Configuration and Administration Guide

Network Services and Security

epic4 is part of the Starlink subnet. The network details are shown below, and they’re bound to

NIC eth0 (eth1, also on the motherboard, is unused and not configured):

FQDN epic4.star.le.ac.uk

IP address 143.210.36.52

Mask 255.255.255.0

Gateway 143.210.36.36

DNS1 143.210.12.154

DNS2 143.210.12.152

epic4 is secured from access via the internet by an iptables-based firewall. The firewall

restricts access to all services except as shown in table 3. Outbound traffic has no restrictions.

Protocol Service Port(s) Allowed from

ICMP - - Anywhere

TCP and UDP ssh 22 Anywhere

TCP and UDP ntp 123 Anywhere

TCP and UDP NFS 111, 2049, 32000-32999 epic3.xra.le.ac.uk

UDP netbios-ns 137 xra.le.ac.uk

UDP netbios-dgm 138 xra.le.ac.uk

TCP and UDP netbios-ssn 139 xra.le.ac.uk

Table 3 - epic4 network services

The full iptables list of rules is stored in /etc/sysconfig/iptables. This isn’t the best place

for them – inadvertently running /etc/init.d/iptables save with the tables in the wrong

state will overwrite the rules. The rules are as follows:

Chain INPUT (policy DROP)

target prot opt source destination

DROP all -f anywhere anywhere

DROP all -- 127.0.0.0/8 anywhere

ACCEPT all -- anywhere anywhere

ACCEPT icmp -- anywhere anywhere icmp echo-request

ACCEPT tcp -- anywhere anywhere tcp dpt:ssh flags:SYN,RST,ACK/SYN

ACCEPT tcp -- anywhere anywhere tcp dpt:ntp

ACCEPT udp -- anywhere anywhere udp dpt:ntp

ACCEPT udp -- 143.210.40.0/24 anywhere udp dpt:netbios-ns

ACCEPT udp -- 143.210.40.0/24 anywhere udp dpt:netbios-dgm

ACCEPT tcp -- 143.210.40.0/24 anywhere tcp dpt:netbios-ssn

ACCEPT udp -- 143.210.40.0/24 anywhere udp dpt:netbios-ssn

ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED

REJECT all -- anywhere anywhere state NEW reject-with icmp-proto-unreachable

Chain FORWARD (policy DROP)

target prot opt source destination

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

ACCEPT all -- anywhere anywhere

ACCEPT tcp -- anywhere anywhere state NEW,ESTABLISHED

ACCEPT udp -- anywhere anywhere state NEW,ESTABLISHED

ACCEPT icmp -- anywhere anywhere state NEW,RELATED,ESTABLISHED

Complete documentation on iptables can be found at http://www.netfilter.org/

There isn’t much in the way of system monitoring performed. Logs go into /var/log, and are

configured in /etc/syslog.conf with log rotation setup in /etc/logrotate.conf to prevent

the /var partition filling up over time. Some log details are mailed daily to whoever root is

1 2 3 4 5 6 7 8 9 10 11 12 ... 18 19

Commenti su questo manuale

Nessun commento

Seagate ST150176LC Manuale Utente Pagina 7

Commenti su questo manuale

Prodotti e manuali riguardandi no Seagate ST150176LC