Java 企业应用



下面是研究怎么实现redhat iptables的stub.

Step (1)about port  <=> [inbound ,outbound]


Issue the command:(as 389 it the port you want to seek )
netstat -Aan | grep 389
this will return:
f1000089c27a2358 tcp4 0 0 *.389 *.* LIST EN
The next step is to take this value that was generated, f1000089c27a2358 and run it against the rmsock command:
rmsock f100089c27a2358 tcpcb
this command will return the process that is holding the socket.
The socket 0xc27a2000 is being held by process 204914 (ndsd).


Step (2)ipsec




Filters can be defined via the SMIT panel at the fastpath ips4_add_filter or via the command line, using the genfilt command. The SMIT method presents a screen similar to the table in the previous section. To create the filter "by hand", the following flags to the genfilt command are used to specify the attributes of the filter rule:


The IP version to which this filter applies. Valid values are "4" and "6"

The filter ID, or number: The new rule will be added before the number specified with this flag. If not specified, the rule will be added to the end of the filter rules table.

The "action" of the rule: valid values are "P" (permit) and "D" (deny)

The source address: Specify either a fully qualified domain name (FQDN) or an IP address of the host or network to which this rule will apply. The value "" specifies all IP addresses.

The source subnet mask: This will be used with the source address in determining whether this filter rule matches. The value "" specifies all subnet masks.

The destination address: Specify either the FQDN or the IP address of the interface for which incoming packets should be matched against. The value "" specifies all IP addresses on the system.

The destination subnet mask: This will be used with the destination address in determining whether this filter rule matches. The value "" specifies all subnet masks.

Specifies whether this rule applies to source routed packets. Valid values are "Y" (yes) and "N" (no).

Protocol: Specify the protocols which will be matched by this filter rule. Valid values are "udp", "icmp", "tcp", "tcp/ack", and "all".

Source port/ICMP operation: This is the comparison operator that will be used in matching the source port of the packet to this rule. Valid values are "lt" (less than), "le" (less than or equal to), "gt" (greater than), "ge" (greater than or equal to), "eq" (equal), "neq" (not equal), or "any".

Source port/ICMP type: This value will be compared to the source port of the packet for possible matches.

Destination port/ICMP operation: This is the comparison operator that will be used in matching the destination port of the packet to this rule. Valid values are the same as for the "-o" flag.

Destination port/ICMP type: This value will be compared to the destination port of the packet for possible matches.

Routing/Scope: Specifies whether the rule will apply to forwarded packets (R), packets destined or originated from the local host (L), or both (B).

Direction: Specifies whether the rule will apply to incoming packets (I), outgoing packets (O), or both (B).

Logging: Specifies that an entry to syslog will be sent for packets that match this rule. Valid values are "Y" (yes) and "N" (no).

Fragmentation control: Specifies whether the rule will apply to fragment headers and unfragmented packets (H), fragment headers and fragments only (O), unfragmented packets only (N), or all packets (Y).

Interface: specifies the interface on which this filter rule applies. Valid values are the logical names of interfaces (en0, tr0, lo0, etc.) or "all" for all interfaces.


To work with TCP/IP filters you only need a few commands, which is explained here and then used in the next section. If you're familiar with AIX commands you see that these follow the same logic of having descriptive prefixes in their names, like mk, ls, and rm, followed by the filt suffix.

  • lsfilt: List filters rules present in the table. When created, each rule is assigned a number, which can be easily seen using this command.
  • genfilt: Adds a filter rule to the table. This is the one you use to create new filters. If you do not specify a position with the –nparameter, the new rule is added at the end of the table.
  • chfilt: Used to change existing filter rules. You need to provide the rule ID to indicate which rule you want to modify. Rule 1 is the default rule and can't be changed with this command.
  • rmfilt: The rm suffix should sound familiar with any UNIX administrator. You use this command whenever you have to remove a filter rule providing its rule ID.
  • mkfilt: This is a key command that allows us to activate or deactivate the filter rules in the table, enable or disable logging for filters, and change the default rules. For the changes done to the filters table to take effect, you'll have to run this command with some arguments.







# smitty ipsec4


# lsdev -l ipsec_v4



# chfilt -v 4 -n 3 -i en1
Filter rule 3 for IPv4 has been changed successfully.



## Rules to reject traffic to the Web Application not coming from the Proxy
# genfilt -v 4 -a D -s 0 -m 0 -d -M -g N 
-c tcp -O eq -P 80 -r L -w I -l Y -f Y -i all



Now, you are going to configure the syslog daemon to log entries coming from the IP filters in a file that you specify.

## Backup syslog.conf file before modifying it.
# cp /etc/syslog.conf /etc/syslog.conf.bak
## Append entry for IP filters logs.
# echo "local4.debug /var/adm/ipsec.log" >> /etc/syslog.conf
## Create log file and set permissions (permissions may depend on 
## company policies)
# touch /var/adm/ipsec.log
# chmod 644 /var/adm/ipsec.log
## Refresh the syslog subsystem to activate the new configuration.
# refresh -s syslogd
0513-095 The request for subsystem refresh was completed successfully.



 # Start the log functionality of the filter rule module
# mkfilt -g start
# # Activates the filter rules
# mkfilt –u
Step (3) iptables
iptables 是linux中防火墙流行的管理工具




cmd 1 :iptables -A INPUT -p tcp --dport ${port} -j ACCEPT

cmd 2 :iptables -A INPUT -p tcp -s localhost -j ACCEPT

cmd 1 .在filter表上添加一条规则,如果socket pack来自TCP且push到${port}端口,就接收。

cmd 2 .在filter表上添加一条规则,如果源IP地址是本机,就接收。


Step (4)mock iptables


genfilt -v 4 -a P -s -m -d -M -g Y -c tcp –o any –p 0  -O eq -P 80 -r B -w B -l N -f Y -i all

mkfilt -u



# cloud_iptables - simulate iptables
function aix_iptables
    echo "aix_iptables:[$@]"
      while [ $# -ne 0 ]; do
        case $1 in
                genfilt -v 4 -a P -s -m -d -M -g Y -c tcp –o any –p 0 -O eq -P $port -r B -w B -l N -f Y -i all
                shift 1
                genfilt -v 4 -a P -s $sourceip -m -d -M -g Y -c tcp –o any –p 0 -O any -P 0 -r B -w B -l N -f Y -i all
                shift 1
                shift 1



iptables -A INPUT -p tcp -s localhost -j ACCEPT
service iptables save

语句1 用来实现添加一条 rules

语句2 用来使变更生效

所以,还需要mock service 方法,这样,在两个平台中,语句1和语句2就都完成了打开一些防火墙端口的功能。  

function aix_service
    if [ "$1" = "iptables" ]; then
        mkfilt -u  
        echo "aix_service $*"


function on_AIX
    test "`uname`" = "AIX"


if aliases_on_aix ; then
    shopt -s expand_aliases     # enable expand aliases,keep it on
    alias sudo='aix_sudo'
    alias hostname='aix_hostname'
    alias iptables='aix_iptables'
    alias chkconfig='aix_chkconfig'
    alias service='aix_service'


posted on 2012-08-11 13:59 cpegtop 阅读(4217) 评论(0)  编辑  收藏

