Cisco Cisco Prime Central 1.5 Installation Guide
to only those workstations that need explicit access. As additional precaution against denial of service (DoS) attacks, administrators
should apply rate-limiting policies. Administrators can use firewall software such as Linux iptables to implement access
restrictions and rate-limiting policies.
should apply rate-limiting policies. Administrators can use firewall software such as Linux iptables to implement access
restrictions and rate-limiting policies.
◦In some cases, the packet source is not known ahead of time; for example, the HTTPS port that clients use to communicate
with the Prime Central portal.
◦In some cases, the packet source is known ahead of time; for example, a distributed Prime Central installation, where the
Prime Central portal must communicate with the Prime Central integration layer.
• Restricted—We recommend that administrators restrict access to all other ports. Administrators can use firewall software such
as Linux iptables to implement access restrictions.
Sample Remediation Policy Script
The following sample script shows how a system administrator can implement a remediation policy by using the built-in Linux
iptables firewall feature.
iptables firewall feature.
#!/bin/bash
FWCONF=/etc/init.d/iptables
FW=/sbin/iptables
FW=/sbin/iptables
#Start firewall
$FWCONF save
$FWCONF start
$FWCONF save
$FWCONF start
#Remove any previous rules:
$FW -F
$FW -X
$FW -P INPUT ACCEPT
$FW -P FORWARD ACCEPT
$FW -P OUTPUT ACCEPT
$FW -F
$FW -X
$FW -P INPUT ACCEPT
$FW -P FORWARD ACCEPT
$FW -P OUTPUT ACCEPT
#Drop invalid packets
$FW -A INPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID "
$FW -A INPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID "
--log-ip-options --log-tcp-options
$FW -A INPUT -m state --state INVALID -j DROP
#Permit rules
#Allow local packets (category 1 packets)
$FW -A INPUT -i lo -j ACCEPT
$FW -A INPUT -i lo -j ACCEPT
#Allow icmp/esp/ah packets
$FW -A INPUT -p icmp --icmp-type any -j ACCEPT
$FW -A INPUT -p esp -j ACCEPT
$FW -A INPUT -p ah -j ACCEPT
$FW -A INPUT -p icmp --icmp-type any -j ACCEPT
$FW -A INPUT -p esp -j ACCEPT
$FW -A INPUT -p ah -j ACCEPT
#Allow any tcp traffic to port <allowed-port> with rate-limiting to <rate> packets/second (category 2a packets)
$FW -A INPUT -s 0/0 -d 0/0 -j ACCEPT --protocol tcp --dport <allowed-port> -m hashlimit --hashlimit
<rate>/second
$FW -A INPUT -s 0/0 -d 0/0 -j ACCEPT --protocol tcp --dport <allowed-port> -m hashlimit --hashlimit
<rate>/second
#Allow tcp traffic from source address <source-IP> to a port <allowed-port> with rate-limiting to <rate>
packets/second (category 2b packets)
$FW -A INPUT -s <source-IP>/32 -d 0/0 -j ACCEPT --protocol tcp --dport <allowed-port> -m hashlimit --hashlimit
packets/second (category 2b packets)
$FW -A INPUT -s <source-IP>/32 -d 0/0 -j ACCEPT --protocol tcp --dport <allowed-port> -m hashlimit --hashlimit
<rate>/second
#Allow any tcp traffic to ephemeral ports with rate-limiting to <rate> packets/second (category 3a packets)
$FW -A INPUT -p tcp --dport 32768:6100 -m hashlimit --hashlimit <rate>/second
$FW -A INPUT -p tcp --dport 32768:6100 -m hashlimit --hashlimit <rate>/second
#Allow tcp traffic from source address <source-IP> to ephemeral ports with rate-limiting to <rate>
packets/second (category 3b packets)
$FW -A INPUT -s <source-IP>/32 -p tcp --dport 32768:6100 -m hashlimit --hashlimit <rate>/second
packets/second (category 3b packets)
$FW -A INPUT -s <source-IP>/32 -p tcp --dport 32768:6100 -m hashlimit --hashlimit <rate>/second
#Allow established connections
12