Cisco Cisco Prime Central 1.5.2 Installationsanleitung
Sample Remediation Policy Script
The following sample script shows how a system administrator can implement a remediation policy by using the built-in Linux
iptables firewall feature.
iptables firewall feature.
#!/bin/bash
FWCONF=/etc/init.d/iptables
FW=/sbin/iptables
FW=/sbin/iptables
#Start firewall
$FWCONF save
$FWCONF start
$FWCONF save
$FWCONF start
#Remove any previous rules:
$FW -F
$FW -X
$FW -P INPUT ACCEPT
$FW -P FORWARD ACCEPT
$FW -P OUTPUT ACCEPT
$FW -F
$FW -X
$FW -P INPUT ACCEPT
$FW -P FORWARD ACCEPT
$FW -P OUTPUT ACCEPT
#Drop invalid packets
$FW -A INPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID "
$FW -A INPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID "
--log-ip-options --log-tcp-options
$FW -A INPUT -m state --state INVALID -j DROP
#Permit rules
#Allow local packets (category 1 packets)
$FW -A INPUT -i lo -j ACCEPT
$FW -A INPUT -i lo -j ACCEPT
#Allow icmp/esp/ah packets
$FW -A INPUT -p icmp --icmp-type any -j ACCEPT
$FW -A INPUT -p esp -j ACCEPT
$FW -A INPUT -p ah -j ACCEPT
$FW -A INPUT -p icmp --icmp-type any -j ACCEPT
$FW -A INPUT -p esp -j ACCEPT
$FW -A INPUT -p ah -j ACCEPT
#Allow any tcp traffic to port <allowed-port> with rate-limiting to <rate> packets/second (category 2a packets)
$FW -A INPUT -s 0/0 -d 0/0 -j ACCEPT --protocol tcp --dport <allowed-port> -m hashlimit --hashlimit
<rate>/second
$FW -A INPUT -s 0/0 -d 0/0 -j ACCEPT --protocol tcp --dport <allowed-port> -m hashlimit --hashlimit
<rate>/second
#Allow tcp traffic from source address <source-IP> to a port <allowed-port> with rate-limiting to <rate>
packets/second (category 2b packets)
$FW -A INPUT -s <source-IP>/32 -d 0/0 -j ACCEPT --protocol tcp --dport <allowed-port> -m hashlimit --hashlimit
packets/second (category 2b packets)
$FW -A INPUT -s <source-IP>/32 -d 0/0 -j ACCEPT --protocol tcp --dport <allowed-port> -m hashlimit --hashlimit
<rate>/second
#Allow any tcp traffic to ephemeral ports with rate-limiting to <rate> packets/second (category 3a packets)
$FW -A INPUT -p tcp --dport 32768:6100 -m hashlimit --hashlimit <rate>/second
$FW -A INPUT -p tcp --dport 32768:6100 -m hashlimit --hashlimit <rate>/second
#Allow tcp traffic from source address <source-IP> to ephemeral ports with rate-limiting to <rate>
packets/second (category 3b packets)
$FW -A INPUT -s <source-IP>/32 -p tcp --dport 32768:6100 -m hashlimit --hashlimit <rate>/second
packets/second (category 3b packets)
$FW -A INPUT -s <source-IP>/32 -p tcp --dport 32768:6100 -m hashlimit --hashlimit <rate>/second
#Allow established connections
$FW -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$FW -A INPUT -p tcp --dport ssh
$FW -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$FW -A INPUT -p tcp --dport ssh
-j ACCEPT
#Drop everything else (category 4 packets)
$FW -A INPUT -j DROP
$FW -A INPUT -j DROP
#Save firewall rules.
$FWCONF save
$FWCONF save
Embedded Database Requirements
An embedded database for use with Prime Central has the following requirements. These requirements are in addition to those in
.
12