WMI for Administrators > Configuration > Network > IP Filtering

IP Filtering
Selecting Configuration>Network>IP Filtering in Expert mode brings up the IP Filtering form as shown in the following figure.
IP Filtering Configuration Form
You can use the IP Filtering form to filter traffic to and from the KVM/net and block traffic according to rules you define.
The KVM/net uses chains and rules for filtering packets like a firewall. Each entry in the list represents a chain with a set of rules.
The form by default has three built-in chains, as shown in the previous figure. The chains accept all INPUT, FORWARD, and OUTPUT packets. You can use the form to do the following to specify packet filtering:
Add Rule and Edit Rule Options
The Add Rule and Edit Rule dialog boxes have the fields and options shown in the following figure.
Inverted Check Boxes
If you check the “Inverted” check box on any line, the target action is performed on packets that do not match any of the criteria specified in that line when any other specified criteria are also met.
For example, if you select DROP as the target action, check “Inverted” on the line with a source IP address specified, and do not specify any other criteria in the rule, any packets arriving from any other source IP address than the one specified are dropped.
Target Drop-down List Options
The “Target” is the action to be performed on an IP packet that matches all the criteria specified in a rule.The target drop-down list is shown in the following figure.
If the “LOG” and “REJECT” targets are selected, additional fields appear as described under LOG Target and REJECT Target.
Source or Destination IP and Mask
If you fill in the “Source IP” field, incoming packets are filtered for the specified IP address. If you fill in the “Destination IP” field, outgoing packets are filtered for the specified IP address.
If you fill in either “Mask” field, incoming or outgoing packets are filtered for IP addresses from the network in the specified netmask.
The source and destination IP and related fields are shown in the following figure.
Protocol
You can select a protocol for filtering from the “Protocol” drop-down list, which is shown in the following figure.
The additional fields that appear for each protocol are explained in the following sections.
Numeric Protocol Fields
If you select Numeric as the protocol when specifying a rule, a text field appears to the right of the menu for you to enter the desired number, as shown in the following figure.
TCP Protocol Fields
If you select TCP as the protocol when specifying a rule, the additional fields shown in the following figure appear for you to fill out at the bottom of the form.
The following table defines the fields and menu options in the “TCP Options Section.”
Source Port Destination Port
You can specify a source or destination port number for filtering in the “Source Port” or “Destination Port” field. If you specify a second number in the “to” field, TCP packets are filtered for any port number within the range that starts with the first port number and that ends with the second.
You can select the check box next to any of the TCP flags: “SYN” (synchronize), “ACK” (acknowledge), “FIN” (finish), “RST” (reset), “URG ” (urgent), or “PSH” (push) and select either “Any,” “Set,” or “Unset,” TCP packets are filtered for the specified flag and the selected condition.
UDP Protocol Fields
If you select UDP as a protocol when specifying a rule, the additional fields shown in the following figure appear at the bottom of the form.
The following table defines the fields in the UDP Options Section.
Source Port
- OR -
Destination Port
-AND-
 

to
Specify a source or destination port number for filtering in the “Source Port” or “Destination Port” field.
You can specify a source or destination port number for filtering in the “Source Port” field. If you specify a second number in the “to” field, TCP packets are filtered for any port number within the range that starts with the first port number and that ends with the second.
ICMP Protocol Fields
If you select ICMP as a protocol when specifying a rule, the ICMP Type drop-down list appears in the ICMP Options Section at the bottom of the IP Filtering form. The following figure shows the options.
Input Interface, Output Interface, and Fragments
If you enter an interface (such as eth0 or eth1) in the “Input Interface” field, incoming packets are filtered for the specified interface. If you enter an interface in the “Output Interface” field, outgoing packets are filtered for the specified interface.
These fields are shown in the following figure.
The following table defines the fields in the previous figure.
 
The input interface (ethN) for the packet
The output interface (ethN) for the packet
LOG Target
If you select “LOG” from the “Target” field, the following fields and menus appear in the “LOG Options Section” at the bottom of the form.
The following table defines the menu options, field, and check boxes in the “LOG Options Section.”
REJECT Target
If you select REJECT from the Target drop-down list, the following drop-down list appears
Any “Reject with” option causes the input packet to be dropped and a reply packet of the specified type to be sent.
Firewall Configuration Procedures
To Add a Chain
1.
The IP Filtering form appears.
2.
The “Add Chain” dialog box appears.
3.
Spaces are not allowed in the chain name.
The name of the new chain appears in the list.
4.
To Edit a Chain
Perform this procedure if you want to change the policy for a default chain.
Note: User-defined chains cannot be edited.
1.
2.
If you select a user-defined chain, the following dialog box appears.
If you select one of the default chains, the “Edit Chain” dialog box appears.
3.
4.
5.
To Edit a Rule for IP Filtering
1.
The IP Filtering configuration form appears.
See To Add a Rule for IP Filtering procedure section for a definition of the user input fields.
2.
3.
The Edit Rules form appears. Each line represents a rule for the selected chain.
4.
The Edit Rules form appears.
5.
See IP Filtering for a definition of the input fields, if needed.
6.
To Add a Packet Filtering Rule
1.
2.
3.
The “Edit Rule for Chain” dialog box appears.
4.
5.
The “Add Rule” dialog box appears.
6.
7.
To Add a Chain for IP Filtering
1.
The IP Filtering configuration form appears.
Each line in the list box represents a chain. For a definition or explanation of the field columns, refer to the introductory section of this procedure or to the field definitions for the Edit Rule dialog box, next section.
2.
The Add Chain dialog box appears.
3.
Enter the name of the chain that you are adding to the filter table, and then select OK. (Spaces are not allowed in the chain name.)
4.
5.
6.
To Edit A Chain for IP Filtering
1.
The IP Filtering configuration form appears.
2.
The Edit Chain dialog box appears.
3.
4.
5.
To Add a Rule for IP Filtering
1.
The IP Filtering configuration form appears.
2.
The Edit Rules for Chain configuration form appears.
3.
The Add Rule dialog box appears.
4.
Indicates the action to be performed to the IP packet when it matches the rule. For example, the kernel can ACCEPT DROP, RETURN, LOG or REJECT the packet by sending a message, translating the source or the destination IP address/port or sending the packet to another user-defined chain.
Source network mask. Required when a network should be included in the rule.
Select the check box adjacent to Source IP to invert the target action. For example, the action assigned to the target will be performed to all source IPs/Masks except to the one just defined.
Select the check box adjacent to Destination IP to invert the target action. For example, the action assigned to the target will be performed to all Destination/Mask IPs except to the one just defined.
The transport protocol to check. If the numeric value is available, select Numeric and type the value in the adjacent field; otherwise, select one of the other options.
Select the check box adjacent to Protocol to invert the target action. For example, the action assigned to the target will be performed to all protocols except to the one just defined.
The interface where the IP packet should pass. The Input Interface option appears only for the INPUT and FORWARD chains.
Select the check box adjacent to Input Interface to invert the target action. For example, the action assigned to the target will be performed to all interfaces except to the one just defined.
The interface where the IP packet should pass. The Output interface option will appear for the chains FORWARD and OUTPUT.
Select box adjacent to Output Interface to invert the target action. For example, the action assigned to the target will be performed to all interfaces except to the one just defined.
Indicates the fragments or unfragmented packets to be checked. The IP Tables can check for:
This dropdown list box contains all the ICMP types that may be applied to the current rule.
This ICMP option will be applied to all rules except the currently selected rule.
5.
 
The log level classification to be used based on the type of error message (such as, alert, warning, info, debug, and so on.).
“Reject with” means that the filter drops the input packet and sends back a reply packet according to any of the reject types listed below.
Using tcp flags and appropriate reject type, the packets are matched with the REJECT target. The following options are available:
icmp-net-unreachable – ICMP network unreachable alias
icmp-host-unreachable – ICMP host unreachable alias
icmp-port-unreachable – ICMP port unreachable alias
icmp-proto-unreachable – ICMP protocol unreachable alias
icmp-net-prohibited – ICMP network prohibited alias
icmp-host-prohibited – ICMP host prohibited alias
echo-reply – Echo reply alias
tcp-reset – TCP RST packet alias
6.
7.

WMI for Administrators > Configuration > Network > IP Filtering