Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document.
Note: Even the most advanced machine translation cannot match the quality of professional translators.
Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Adding Firewall Rules
If you do not have an external firewall to protect the network environment of the eSight server, you are advised to configure firewall rules to disable unnecessary ports and connections to reduce external attack surfaces and improve eSight security.
Procedure
- Use PuTTY to log in to the eSight server as the root user.
- Run the following commands to export the current firewall rules and port forwarding rules configured on eSight:
iptables-save > /opt/iptables.current.rules
cat /etc/init.d/boot.local | grep iptables >> /opt/esight.iptables.sh
- Switch to /etc/sysconfig and run the vi command to create the firewall rule file iptables.esight.rules.
cd /etc/sysconfig
vi iptables.esight.rules
Copy the following content to the file, press ESC to switch to the command line mode, and run the : wq! command to save the file.
To edit text, type i to switch to insert mode and type words after the cursor. To save the modification and exit the vi editor, press Esc, switch to the CLI mode, and type :wq.
# Generated by eSight Engineering Group. # Please place all contents in # /etc/sysconfig/iptables.esightl.rules *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] # Allows all loopback (lo0) traffic # and drop all traffic to 127/8 that doesn't use lo0 -A INPUT -i lo -j ACCEPT -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT -A INPUT -s 127.0.0.0/8 -j DROP # Accepts all established inbound connections -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allows all outbound traffic # You could modify this to only allow certain traffic -A OUTPUT -j ACCEPT # Allows HTTP and HTTPS connections from anywhere # -A INPUT -p tcp --dport 31942 -j ACCEPT # -A INPUT -p tcp --dport 31943 -j ACCEPT # -A INPUT -p tcp --dport 31945 -j ACCEPT # Allows SSH connections # The --dport number is the same as in /etc/ssh/sshd_config -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT # Allow ping -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT # Drop icmp timestamp and netmask request -A INPUT -p icmp -m icmp --icmp-type 13 -j DROP -A INPUT -p icmp -m icmp --icmp-type 17 -j DROP -A OUTPUT -p icmp -m icmp --icmp-type 14 -j DROP -A OUTPUT -p icmp -m icmp --icmp-type 18 -j DROP # Allows all inbound traffic need by eSight # EulerOS -A INPUT -p tcp --dport 139 -j ACCEPT -A INPUT -p tcp --dport 445 -j ACCEPT -A INPUT -p udp --dport 123 -j ACCEPT -A INPUT -p udp --dport 500 -j ACCEPT -A INPUT -p udp --dport 4500 -j ACCEPT -A INPUT -p udp --dport 5355 -j ACCEPT -A INPUT -p udp --dport 137 -j ACCEPT -A INPUT -p udp --dport 58 -j ACCEPT -A INPUT -p udp --dport 67 -j ACCEPT -A INPUT -p udp --dport 68 -j ACCEPT # eSight platform -A INPUT -p tcp --dport 32002 -j ACCEPT -A INPUT -p tcp --dport 32003 -j ACCEPT -A INPUT -p tcp --dport 32006 -j ACCEPT -A INPUT -p tcp --dport 32007 -j ACCEPT -A INPUT -p tcp --dport 32008 -j ACCEPT -A INPUT -p tcp --dport 32009 -j ACCEPT -A INPUT -p tcp --dport 32010 -j ACCEPT -A INPUT -p tcp --dport 32011 -j ACCEPT -A INPUT -p tcp --dport 32016 -j ACCEPT -A INPUT -p tcp --dport 32017 -j ACCEPT -A INPUT -p tcp --dport 32028 -j ACCEPT -A INPUT -p tcp --dport 32019 -j ACCEPT -A INPUT -p tcp --dport 32020 -j ACCEPT -A INPUT -p tcp --dport 32021 -j ACCEPT -A INPUT -p tcp --dport 32022 -j ACCEPT -A INPUT -p tcp --dport 32023 -j ACCEPT -A INPUT -p tcp --dport 8080 -j ACCEPT -A INPUT -p tcp --dport 31943 -j ACCEPT -A INPUT -p tcp --dport 32030 -j ACCEPT -A INPUT -p tcp --dport 32031 -j ACCEPT -A INPUT -p tcp --dport 32032 -j ACCEPT -A INPUT -p tcp --dport 32033 -j ACCEPT -A INPUT -p tcp --dport 8087 -j ACCEPT -A INPUT -p tcp --dport 31942 -j ACCEPT -A INPUT -p tcp --dport 31909 -j ACCEPT -A INPUT -p tcp --dport 31910 -j ACCEPT -A INPUT -p tcp --dport 8088 -j ACCEPT -A INPUT -p tcp --dport 31945 -j ACCEPT -A INPUT -p tcp --dport 31927 -j ACCEPT -A INPUT -p tcp --sport 31916 --dport 31917 -j ACCEPT -A INPUT -p tcp --sport 31916 --dport 31967 -j ACCEPT -A INPUT -p tcp --dport 21 -j ACCEPT -A INPUT -p tcp --dport 31921 -j ACCEPT -A INPUT -p tcp --dport 31922 -j ACCEPT -A INPUT -p tcp --dport 31923 -j ACCEPT -A INPUT -p tcp --dport 31931 -j ACCEPT -A INPUT -p tcp --dport 31932 -j ACCEPT -A INPUT -p udp --dport 162 -j ACCEPT -A INPUT -p tcp --dport 32061 -j ACCEPT -A INPUT -p tcp --dport 32062 -j ACCEPT -A INPUT -p tcp --dport 32101 -j ACCEPT -A INPUT -p tcp --dport 10162 -j ACCEPT -A INPUT -p tcp --sport 32008 --dport 32012 -j ACCEPT -A INPUT -p udp --dport 32190:32209 -j ACCEPT -A INPUT -p tcp --dport 32987 -j ACCEPT -A INPUT -p udp --dport 69 -j ACCEPT -A INPUT -p udp --dport 32182 -j ACCEPT -A INPUT -p tcp --dport 32150:32159 -j ACCEPT -A INPUT -p udp --dport 32160:32169 -j ACCEPT -A INPUT -p tcp --dport 32145:32154 -j ACCEPT # upper-layer and third-party system -A INPUT -p udp --dport 4700 -j ACCEPT -A INPUT -p tcp --dport 32066 -j ACCEPT -A INPUT -p tcp --dport 32067 -j ACCEPT -A INPUT -p tcp --dport 32069 -j ACCEPT -A INPUT -p tcp --dport 31850:31859 -j ACCEPT -A INPUT -p tcp --dport 32102 -j ACCEPT -A INPUT -p tcp --dport 32103 -j ACCEPT -A INPUT -p tcp --dport 9131 -j ACCEPT -A INPUT -p tcp --dport 9141 -j ACCEPT # network device manager -A INPUT -p udp --dport 10162 -j ACCEPT -A INPUT -p udp --dport 32175 -j ACCEPT -A INPUT -p tcp --dport 32176 -j ACCEPT -A INPUT -p udp --dport 32185 -j ACCEPT -A INPUT -p tcp --dport 32270 -j ACCEPT -A INPUT -p udp --dport 514 -j ACCEPT # server device manager -A INPUT -p tcp --dport 38084 -j ACCEPT # storage device manager -A INPUT -p tcp --dport 8000:8090 -j ACCEPT -A INPUT -p tcp --dport 7890 -j ACCEPT -A INPUT -p tcp --dport 8901 -j ACCEPT -A INPUT -p tcp --dport 38083 -j ACCEPT # ucc terminal device manager -A INPUT -p tcp --dport 38444 -j ACCEPT -A INPUT -p tcp --dport 9444 -j ACCEPT -A INPUT -p tcp --dport 38081 -j ACCEPT -A INPUT -p tcp --dport 32234 -j ACCEPT -A INPUT -p tcp --dport 8444 -j ACCEPT -A INPUT -p tcp --dport 8089 -j ACCEPT -A INPUT -p udp --dport 3478 -j ACCEPT -A INPUT -p tcp --dport 443 -j ACCEPT -A INPUT -p tcp --dport 32241 -j ACCEPT -A INPUT -p tcp --dport 8998 -j ACCEPT # uc device manager -A INPUT -p tcp --dport 14001 -j ACCEPT -A INPUT -p tcp --dport 32237 -j ACCEPT -A INPUT -p tcp --dport 32236 -j ACCEPT # telepresence deivce manager -A INPUT -p tcp --dport 11942 -j ACCEPT # video surveillance device manager -A INPUT -p tcp --dport 32240 -j ACCEPT # elte device management -A INPUT -p udp --dport 53 -j ACCEPT -A INPUT -p tcp --dport 53 -j ACCEPT -A INPUT -p tcp --dport 7548 -j ACCEPT -A INPUT -p tcp --dport 8445 -j ACCEPT -A INPUT -p tcp --dport 32106 -j ACCEPT -A INPUT -p tcp --dport 32143 -j ACCEPT # unibi storage reporter -A INPUT -p tcp --dport 8443 -j ACCEPT -A INPUT -p tcp --dport 48000 -j ACCEPT # wlan manager -A INPUT -p udp --dport 32181 -j ACCEPT # virtual resources manager -A INPUT -p tcp --dport 32202 -j ACCEPT -A INPUT -p tcp --dport 5671 -j ACCEPT -A INPUT -p tcp --sport 25672 --dport 25672 -j ACCEPT -A INPUT -p tcp --sport 4369 --dport 4369 -j ACCEPT # network traffic analyzer manager -A INPUT -p tcp --dport 32178 -j ACCEPT -A INPUT -p udp --dport 9995 -j ACCEPT -A INPUT -p udp --dport 9996 -j ACCEPT # pon network device manager # ha system -A INPUT -p tcp --dport 31841 -j ACCEPT -A INPUT -p tcp --dport 31842 -j ACCEPT -A INPUT -p tcp --dport 31843 -j ACCEPT # log iptables denied calls (access via 'dmesg' command) -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 # Reject all other inbound - default deny unless explicitly allowed policy: # -A INPUT -j REJECT # -A FORWARD -j REJECT COMMIT
- Run the following command to switch the file to the Linux text format:
dos2unix /etc/sysconfig/iptables.esight.rules
- Run the following command to load the new rules for the rules to take effect:
iptables-restore < /etc/sysconfig/iptables.esight.rules
- Set the automatic loading rule. Edit the /etc/rc.local file.
vi /etc/init.d/boot.local
Add the following content to the iptables command, press ESC to switch to the command line mode, and run the :wq! command to save the configuration.
iptables-restore < /etc/sysconfig/iptables.esight.rules
- Run the following command to load the port forwarding rules configured on eSight:
sh /opt/esight.iptables.sh
- Check whether the eSight service functions are normal.
Troubleshooting
If an exception occurs, run the following command to roll back firewall rules:
iptables-restore < /opt/iptables.current.rules