Aix 限制IP来访某些端口

说明:Aix系统也有防火墙功能,比如限制个别主机来访SSH和FTP

1. 先查看系统是否启动ipsec
lsdev -Cc ipsec

什么都不显示就是没开

2. 启动 ipsec4 过滤规则:
smitty ipsec4
-> Start/Stop IP Security
-> Start IP Security
-> Start IP Security

3.检查ipsec现在可用:
# lsdev -Cc ipsec
ipsec_v4 Available IP Version 4 Security Extension


4.现在系统中应创建了两个默认的过滤规则。使用下面的命令检查这两个过滤规则:
lsfilt -v4


5.增加一个过滤规则以允许接受从10.1.1.100发到本机10.1.1.12的FTP请求:
# smitty ipsec4
-> Advanced IP Security Configuration
-> Configure IP Security Filter Rules
-> Add an IP Security Filter Rule
-> Add an IP Security Filter Rule

* Rule Action [permit]
* IP Source Address                     [10.1.1.100]
* IP Source Mask                          [255.255.255.255]
IP Destination Address                 [10.1.1.12]
IP Destination Mask                   [255.255.255.255 ]
* Apply to Source Routing? (PERMIT/inbound only)   [yes]
* Protocol                         [all]
* Source Port / ICMP Type Operation         [any]
* Source Port Number / ICMP Type          [0]
* Destination Port / ICMP Code Operation       [eq]
* Destination Port Number / ICMP Type          [21]
* Routing                     [both]
* Direction                      [both]
* Log Control                    [no]
* Fragmentation Control                  [0]
* Interface                      [all]
Expiration Time (sec)                    [ ]
Pattern Type                    [none]
Pattern / Pattern File                  [ ]
Description                    [ ]

6. 增加另一个过滤规则以拒绝其它主机所有向 10.1.1.12发出的FTP请求:
# smitty ipsec4
-> Advanced IP Security Configuration
-> Configure IP Security Filter Rules
-> Add an IP Security Filter Rule
-> Add an IP Security Filter Rule

* Rule Action                    [deny] 
* IP Source Address                     [0.0.0.0]
* IP Source Mask                          [0.0.0.0]
IP Destination Address                 [10.1.1.12]
IP Destination Mask                   [255.255.255.255 ]
* Apply to Source Routing? (PERMIT/inbound only)   [yes] 
* Protocol                         [all] 
* Source Port / ICMP Type Operation         [any] 
* Source Port Number / ICMP Type          [0] 
* Destination Port / ICMP Code Operation       [eq] 
* Destination Port Number / ICMP Type          [21] 
* Routing                     [both] 
* Direction                      [both] 
* Log Control                    [no] 
* Fragmentation Control                  [0] 
* Interface                      [all] 
Expiration Time (sec)                    [ ] 
Pattern Type                    [none] 
Pattern / Pattern File                  [ ]
Description                    [ ]

7.激活设置的过滤规则:
# smitty ipsec4
-> Advanced IP Security Configuration
-> Activate/Update/Deactivate IP Security Filter Rule
-> Activate / Update

DONE

上一篇:API接口明细记录 记录日志 日志


下一篇:[LeetCode] 1184. Distance Between Bus Stops 公交站间的距离