We help IT Professionals succeed at work.
Get Started

exact syntax to permit ipfilter rules in Solaris 10 x86

256 Views
Last Modified: 2016-01-04
I have many tenants in our cloud using RHEL 5.x/6.x & Solaris x86:
some tenants enable/use iptables while some disable/don't;
similarly for Solaris x86 tenants.

I have a common service which I need to permit rules in iptables
(for RHEL VMs) regardless of whether the tenant is currently
using iptables or not (ie just leave the rules there & if one day
the tenant decides to enable/use iptables, the rules to allow the
common service will have been there).

Requirements:
==========
a) permit a rule to allow Tcp4120 from current tenant VM to 172.21.3.a
b) permit a rule to allow Tcp4118 from 172.21.3.a to the current tenant VM

By "current tenant VM", it needs to be applied on all the network interfaces.

Are the commands below correct?
# /sbin/iptables -A RH-Firewall-1-OUTPUT -p tcp --dport 4120 -d 172.21.a.b -j ACCEPT
# /sbin/iptables -A RH-Firewall-1-INPUT -p tcp --dport 4118 -d localhost -j ACCEPT
# /sbin/service iptables save   <== this creates /etc/sysconfig/iptables if it's absent?


******************************************************************************************

Sorry this is off-topic for Solaris iptables but appreciate anyone who can help:

I refer to examples in links below but I'm still confused:
  http://docs.oracle.com/cd/E23824_01/html/821-1453/ipfilter-admin-2.html
  http://docs.oracle.com/cd/E23824_01/html/821-1453/eubbd.html


Q1:
So do I just add the following lines to the top (not the bottom, right? )  of /etc/ipf/ipf.conf  ?
  pass in log (quick) on "all_interfaces" proto tcp from 172.21.a.b to "all_interfaces" port = 4118 keep state
 pass out log (quick) on "all_interfaces" proto tcp from "all_interfaces"  to 172.21.a.b port = 4120 keep state

Q2:
What's the the purpose of "quick" in the above rules?  What's the difference if it's absent or
present?

Q3:
As our Solaris x86 VMs has about four interfaces, can someone substitute "all_interfaces" in the
above rules with actual global value: I reckon there must be an actual Solaris implementation
value that refers to "all interfaces";  if there's none, let me know so that I can repeat it four times
for all the four interfaces

Q4:
What's the purpose of "keep state"?  is it needed in my case?

Q5:
if ipf.conf is not present in /etc/ipf  folder, does this mean ipfilter (as given by 'svcs -a |grep -i ipfilter') is offline?

Q6:
if it's offline & I just create the absent ipf.conf file anyway so that one day if ipfilter is onlined/used,
the rules will already be there?  If ipfilter is offline, no harm creating ipf.conf, right?
Did I miss out anything in my assumptions?
Comment
Watch Question
Commented:
This problem has been solved!
Unlock 1 Answer and 1 Comment.
See Answer
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE