Managing IPtables

The administration tool for managing IP packet filtering for the Linux operating system is known as iptables. With ztC Edge systems, the task of working with iptables has been simplified and streamlined. Using the IPtables Security page, you can set up, maintain, and inspect the various filter table chains and their underlying rules. You have access to the three main chains (INPUT, OUTPUT, and FORWARD) for applying the packet-filtering rules you need. With ztC Edge systems, the rules are applied to the host operating system on each physical machine (PM), to both IPv4 and IPv6 packets, and the rules remain persistent after rebooting.

When you insert a rule, you specify a chain (INPUT, OUTPUT, or FORWARD) and a Rule ID. When processing inbound packets, the kernel applies the rules associated with the INPUT chain, and when processing outbound packets, the kernel applies the rules associated with the OUTPUT chain. The kernel applies the rules associated with the FORWARD chain when processing received inbound packets that must be routed to another host. Rules are applied in order of the Rule ID. (A Rule ID is similar to a row ID, where, for example, Rule ID 1 equals row 1.) Instead of creating rules, however, you can load default settings for the rules.

The IPtables Security page displays a separate table for each of the three chains and their associated rules. The rules, if they exist for a particular chain, are sorted by Rule ID. Columns display the network name, type of network, protocol, and other information. If necessary, use the scroll-bar on the right side of the page to view all of the rules and the scroll-bar at the bottom to view all of the columns. For more information on iptables functionality, see the Linux manual (man) pages for iptables.

You can, optionally, enable the rules to apply to the guest operating systems, in addition to the host. By default, rules apply only to the host operating system, but not to guest operating systems. When you enable rules to also apply to guests, all existing rules, imported rules, and additional newly inserted rules also apply to all guest operating systems (that is, for rules based on the same business network that has been allocated to the guest).

Notes:  
  1. For information on the ports that ztC Edge software uses, see System Requirements Overview.
  2. For additional information on ztC Edge TCP and UDP ports, access the Knowledge Base to search for the article TCP and UDP ports used by ztC Edge (KB0014311). See Accessing Knowledge Base Articles.

To manage IPtables, first, enable IPtables security, if you have not already done so.

  1. Click Preferences in the left-hand navigation panel, to open the Preference page.
  2. On the Preferences page, click IPtables Security.

  3. Activate the checkbox next to Enable IPtables Security.

    The Enable IPtables Security window becomes gray for a few minutes. When the window is active again, Enable IPtables Security is selected

Rules are applied only to the host, by default. You can, though, apply rules to guests as well as the host.

  1. Click Preferences in the left-hand navigation panel, to open the Preference page.

  2. On the Preferences page, click IPtables Security.

    Ensure that Enable IPtables Security is selected.

  3. Apply to Host is selected, by default:

    Select Apply to Host and Guests to apply rules to both the host operating system and guest operating systems. The Enable Port Management window becomes gray for a few minutes.

    When Apply to Host and Guests is selected, all existing rules, imported rules, and additional newly inserted rules will also apply to all guest operating systems (that is, for rules based on the same business network that has been allocated to the guest).

Continue, as appropriate, by inserting a new rule, removing a rule, loading default settings, importing rules, or exporting rules.

  1. Click Preferences in the left-hand navigation panel, to open the Preference page.

  2. On the Preferences page, click IPtables Security.

    Ensure that Enable IPtables Security is selected.

  3. Click the Insert New Rule button to open the Insert New Rule pop-up window.
  4. In the Insert New Rule pop-up window, set values for the following:
    • Chain—Select INPUT, OUTPUT, or FORWARD from the drop-down list.
    • Rule ID—Enter a number that establishes the order for processing the rule. Enter a value, starting with 1 and up to a maximum value that is the total number of rules within the chain. Each Rule ID value must be unique.

      If you enter a number that is already assigned to a rule, the existing rule is incremented by 1 (as are subsequent rules, if any) and the number you enter is assigned to the new rule. So, if, for example, Rule ID 1 already exists and you enter 1 for the new rule, the existing Rule ID 1 becomes Rule ID 2, the existing Rule ID 2 (if it exists) becomes Rule ID 3, and so on.

    • Shared Network—Select a network from the drop-down list of all available shared networks.

    • Protocol—Select udp, tcp, or all.

      Selecting all causes the Grouping and Port Number fields to become inactive (gray) because setting a range of port numbers is unnecessary.

    • Target—Select drop, accept, or reject for the action you want to apply to the packet that matches the rule's specifications.
    • Port Number (starting)—For the first port of the range, enter a number 0 to 65535 that is less than or equal to Port Number (ending).
    • Port Number (ending)—For the last port of the range, enter a number 0 to 65535 that is greater than or equal to Port Number (starting).
    • IP Address (starting)—For the first IPv4 address of the range, enter an address 0.0.0.0 through 255.255.255.255 that is less than or equal to IP Address (ending).
    • IP Address (ending)—For the last IPv4 address of the range, enter an address 0.0.0.0 through 255.255.255.255 that is greater than or equal to IP Address (starting).
    • IPv6 Address (starting)—For the first IPv6 address of the range, enter an address 0000:0000:0000:0000:0000:0000:0000:0000 through ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff that is less than or equal to IPv6 Address (ending).
    • IPv6 Address (ending)—For the last IPv6 address of the range, enter an address 0000:0000:0000:0000:0000:0000:0000:0000 through ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff that is greater than or equal to IPv6 Address (starting).

    Click Insert to insert the new rule.

  5. Newly inserted rules apply only to the host, by default. If you want the rules to apply to the host and guests, see To apply rules to guests as well as the host.

  6. Click Save at the bottom of the page, or click Reset to cancel any unsaved changes, which restores rules to those of the last saved session.

    After the new rule is saved, the IPtables Security page displays it in the appropriate chain.

  1. Click Preferences in the left-hand navigation panel, to open the Preference page.

  2. On the Preferences page, click IPtables Security.

    Ensure that Enable IPtables Security is selected.

    (Apply to Host and Apply to Host and Guests have no effect on removing rules.)

  3. Select the rule that you want to remove.
  4. Click Remove (in the right-most column), for the rule you selected.

  5. Click Save at the bottom of the page, or click Reset to cancel any unsaved changes, which restores rules to those of the last saved session.

    After the rule is removed, it disappears from the IPtables Security page .

  1. Click Preferences in the left-hand navigation panel, to open the Preference page.

  2. On the Preferences page, click IPtables Security.

    Ensure that Enable IPtables Security is selected.

  3. Click Load Default Settings at the bottom of the page.

    A warning appears: Current settings will be overridden by the initial settings! Click OK if you want to load the default settings, or click Cancel to cancel the loading of default settings. If you click OK, the Enable Port Management window becomes gray for a few minutes and the Loading default settings.... message appears.

  4. The default rules apply only to the host, by default. If you want the rules to apply to the host and guests, see To apply rules to guests as well as the host.

  1. Click Preferences in the left-hand navigation panel, to open the Preference page.

  2. On the Preferences page, click IPtables Security.

    Ensure that Enable IPtables Security is selected.

  3. Click Import or Export at the bottom of the page.

    • Import—The Import/Restore IPtables Security Rules Wizard appears. Browse to and select the XML file that you want to import. All rules associated with a shared network's type within the imported XML file will be generated for each existing shared network on the system with the same type.

      After you have selected an XML file, the following message appears:

      Append will reserve current rule set.  Select Overwrite if you want to clear out all current rules.

      Click the appropriate button:

      • Append—The selected XML file is appended to the existing XML file, preserving existing rules.
      • Overwrite—The selected XML file overwrites the existing XML file, eliminating the existing rules.
    • Export—A file explorer window appears. Browse to a location on your local system where you want to save the file of exported rules. All rules in the table are exported to an XML file that is then downloaded to the location you select.

  4. Imported rules apply only to the host, by default. If you want the rules to apply to the host and guests, see To apply rules to guests as well as the host.

  5. If you imported a file, click Save (or click Reset to restore the previously saved values).

Related Topics

The Preferences Page

The ztC Edge Console

Security Hardening