Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

solution for restricting / allowing telnet,FTP to the IP

AIX Commands

solution for restricting / allowing telnet,FTP to the IP

by arvibm Posted Feb 13, 2003 (Edited Feb 13, 2003)

Here is the solution for restricting / allowing telnet,FTP to the IP
Adresses.
This document assumes that you are running AIX 4.3.3
This document walks you through installing ipsec
software
and then creating a couple of filter rules so that
only the machine with IP address = 9.3.6.180 can FTP
to 9.3.6.177.
1. Install the software (on AIX 4.3.3 CD 2):
OID
.
BDC
bos.msg.en_US.net.ipsec 4.3.3.0
bos.net.ipsec.rte 4.3.3.0
.
2. Install latest fixes for ipsec filesets that you
installed above: 7
.
OF
bos.net.ipsec.rte 4.3.3.77

3. Reboot
.
4. Start IP
Security:
.
# smitty ipsec4
Start/Stop IP Security
Start IP
Security ->
Type or select values in entry fields.
Press Enter AFTER making all desired changes
5. Check that ipsec is available.
BDC
.
# lsdev -Cc ipsec ->
ipsec_v4 Available IP Version 4 Security Extension

Type or select values in entry fields.
Press Enter AFTER making all desired changes.
.
PAGE

[Entry Fields] 13
* Rule Action
[permit] OF
+
19
* IP
Source Address
[9.3.6.180]
* IP Source
Mask
[255.255.255.255]
IP
Destination Address
[9.3.6.177]
IP
Destination Mask
[255.255.255.255]
* Apply to Source Routing? (PERMIT/inbound only)
[yes]
+
* Protocol
[all]
+
* Source Port / ICMP Type Operation
[any] OID
+
BDC
* Source Port Number / ICMP Type
[0]
#
* Destination Port / ICMP Code Operation
[eq] PAGE
+
14
* Destination Port Number / ICMP Type
[21] OF
#
19
* Routing
[both]
+
* Direction
[both]
+
* Log Control
[no]
+
* Fragmentation Control
[all packets]
+
* Tunnel ID
[0] OID
+#
BDC
* Interface
[all]
+
.
PAGE
8. Add another filter rule to deny all other FTP
requests to 9.3.6.177: 15
.
OF
Add an IP Security Filter
Rule 19
.
Type or select values in entry fields.
Press Enter AFTER making all desired changes.
.

[Entry Fields]
* Rule Action
[deny]
+
* IP Source
Address [0.0.0.0]
* IP Source
Mask [0.0.0.0]
OID
IP
Destination Address
[9.3.6.177] BDC
IP
Destination Mask
[255.255.255.255]
* Apply to Source Routing? (PERMIT/inbound only)
[yes]
+
PAGE
* Protocol
[all] 16
+
OF
* Source Port / ICMP Type Operation
[any] 19
+
* Source Port Number / ICMP Type
[0]
#
* Destination Port / ICMP Code Operation
[eq]
+
* Destination Port Number / ICMP Type
[21]
#
* Routing
[both]
+
OID
* Direction
[both] BDC
+
* Log Control
[no]
+
PAGE
* Fragmentation Control
[all packets] 17
+
OF
* Tunnel ID
[0] 19
+#
* Interface
[all]
+
.
9. Activate the filter rules by backing back out into
the "Advanced IP
Security
Configuration" screen:
.
# smitty ipsec4
OID
Advanced IP Security Configuration
BDC
Activate/Update/Deactivate IP Security Filter
Rule
Activate / Update
.
PAGE
10. If you've made it this far, you should now be
able to FTP to 18
9.3.6.177
OF
ONLY if you're on the 9.3.6.180 box. Any other
machines attempting to 19
FTP to 9.3.6.177 will fail.

use port 121 for ftp and 123 for telnet.

Please Note: 1 is Bad, 10 is Good :-)

Part and Inventory Search

This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.

Accept Learn more…

Back

Top