Selecting Configuration>Network>IP Filtering in Expert mode brings up the IP Filtering form as shown in the following figure.You can use the IP Filtering form to filter traffic to and from the KVM and block traffic according to rules you define.The KVM uses chains and rules for filtering packets like a firewall. Each entry in the list represents a chain with a set of rules.The form by default has three built-in chains, as shown in the previous figure. The chains accept all INPUT, FORWARD, and OUTPUT packets. You can use the form to do the following to specify packet filtering:The Add Rule and Edit Rule dialog boxes have the fields and options shown in the following figure.If you check the “Inverted” check box on any line, the target action is performed on packets that do not match any of the criteria specified in that line when any other specified criteria are also met.For example, if you select DROP as the target action, check “Inverted” on the line with a source IP address specified, and do not specify any other criteria in the rule, any packets arriving from any other source IP address than the one specified are dropped.The “Target” is the action to be performed on an IP packet that matches all the criteria specified in a rule.The target drop-down list is shown in the following figure.If the “LOG” and “REJECT” targets are selected, additional fields appear as described under LOG Target and REJECT Target.If you fill in the “Source IP” field, incoming packets are filtered for the specified IP address. If you fill in the “Destination IP” field, outgoing packets are filtered for the specified IP address.If you fill in either “Mask” field, incoming or outgoing packets are filtered for IP addresses from the network in the specified netmask.You can select a protocol for filtering from the “Protocol” drop-down list, which is shown in the following figure.The additional fields that appear for each protocol are explained in the following sections.If you select Numeric as the protocol when specifying a rule, a text field appears to the right of the menu for you to enter the desired number, as shown in the following figure.If you select TCP as the protocol when specifying a rule, the additional fields shown in the following figure appear for you to fill out at the bottom of the form.
Source Port Destination Port You can specify a source or destination port number for filtering in the “Source Port” or “Destination Port” field. If you specify a second number in the “to” field, TCP packets are filtered for any port number within the range that starts with the first port number and that ends with the second. You can select the check box next to any of the TCP flags: “SYN” (synchronize), “ACK” (acknowledge), “FIN” (finish), “RST” (reset), “URG ” (urgent), or “PSH” (push) and select either “Any,” “Set,” or “Unset,” TCP packets are filtered for the specified flag and the selected condition.If you select UDP as a protocol when specifying a rule, the additional fields shown in the following figure appear at the bottom of the form.
Specify a source or destination port number for filtering in the “Source Port” or “Destination Port” field.You can specify a source or destination port number for filtering in the “Source Port” field. If you specify a second number in the “to” field, TCP packets are filtered for any port number within the range that starts with the first port number and that ends with the second.If you select ICMP as a protocol when specifying a rule, the ICMP Type drop-down list appears in the ICMP Options Section at the bottom of the IP Filtering form. The following figure shows the options.If you enter an interface (such as eth0 or eth1) in the “Input Interface” field, incoming packets are filtered for the specified interface. If you enter an interface in the “Output Interface” field, outgoing packets are filtered for the specified interface.
The input interface (ethN) for the packet The output interface (ethN) for the packet If you select “LOG” from the “Target” field, the following fields and menus appear in the “LOG Options Section” at the bottom of the form.The following table defines the menu options, field, and check boxes in the “LOG Options Section.”
Checking the box includes the TCP sequence in the log. Any “Reject with” option causes the input packet to be dropped and a reply packet of the specified type to be sent.
2.
4. See To Add a Rule for IP Filtering procedure section for a definition of the user input fields.See IP Filtering for a definition of the input fields, if needed.
2. Select the chain whose rule you want to edit from Chain list, and then and then click the “Edit Rules” button.Each line in the list box represents a chain. For a definition or explanation of the field columns, refer to the introductory section of this procedure or to the field definitions for the Edit Rule dialog box, next section.
3. Enter the name of the chain that you are adding to the filter table, and then select OK. (Spaces are not allowed in the chain name.)
4. After entering a new chain name, click on the Edit Rules button to enter the rules for that chain.
2. Select the Chain you wish to edit from the Chain list box (or filter table), and select the Edit button.
Indicates the action to be performed to the IP packet when it matches the rule. For example, the kernel can ACCEPT DROP, RETURN, LOG or REJECT the packet by sending a message, translating the source or the destination IP address/port or sending the packet to another user-defined chain. Source network mask. Required when a network should be included in the rule. Select the check box adjacent to Source IP to invert the target action. For example, the action assigned to the target will be performed to all source IPs/Masks except to the one just defined. Select the check box adjacent to Destination IP to invert the target action. For example, the action assigned to the target will be performed to all Destination/Mask IPs except to the one just defined. The transport protocol to check. If the numeric value is available, select Numeric and type the value in the adjacent field; otherwise, select one of the other options. Select the check box adjacent to Protocol to invert the target action. For example, the action assigned to the target will be performed to all protocols except to the one just defined. The interface where the IP packet should pass. The Input Interface option appears only for the INPUT and FORWARD chains. Select the check box adjacent to Input Interface to invert the target action. For example, the action assigned to the target will be performed to all interfaces except to the one just defined. The interface where the IP packet should pass. The Output interface option will appear for the chains FORWARD and OUTPUT. Select box adjacent to Output Interface to invert the target action. For example, the action assigned to the target will be performed to all interfaces except to the one just defined. Indicates the fragments or unfragmented packets to be checked. The IP Tables can check for:
• This dropdown list box contains all the ICMP types that may be applied to the current rule. This ICMP option will be applied to all rules except the currently selected rule.
The log level classification to be used based on the type of error message (such as, alert, warning, info, debug, and so on.). “Reject with” means that the filter drops the input packet and sends back a reply packet according to any of the reject types listed below.Using tcp flags and appropriate reject type, the packets are matched with the REJECT target. The following options are available:
• icmp-net-unreachable – ICMP network unreachable alias
• icmp-host-unreachable – ICMP host unreachable alias
• icmp-port-unreachable – ICMP port unreachable alias
• icmp-proto-unreachable – ICMP protocol unreachable alias
• icmp-net-prohibited – ICMP network prohibited alias
• icmp-host-prohibited – ICMP host prohibited alias
• echo-reply – Echo reply alias
• tcp-reset – TCP RST packet alias