Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SBR] Minimum iptables input permissions for SBR Carrier on Linux

0

0

Article ID: KB23655 KB Last Updated: 04 Mar 2017Version: 2.0
Summary:

This article provides information about the minimum iptables input permissions for SBR Carrier on Linux.

Symptoms:
  • Attempted to lock down the Linux server, so that only the required ports are open.

  • This is a list of the minimum required incoming ports for standard radius functionality and administration of SBR.
Cause:
 
Solution:

You need to make sure that SBR carrier can communicate on the standard Radius UDP ports, as well as the 1812 and 1813 TCP ports:

  • ACCEPT udp -- anywhere anywhere state NEW udp dpt:radius

  • ACCEPT udp -- anywhere anywhere state NEW udp dpt:radius-acct

  • ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:radius-acct

  • ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:radius

You can further lock down the access, by specifying the source address or network, via the following commands:
iptables -I INPUT -m state --state NEW -m udp -p udp --dport 1812 -s <source-address>/<mask>  -j ACCEPT
iptables -I INPUT -m state --state NEW -m udp -p udp --dport 1813 -s <source-address>/<mask> -j ACCEPT
iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 1813 -s <source-address>/<mask> -j ACCEPT
iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 1812 -s <source-address>/<mask> -j ACCEPT

This is not a comprehensive list of all required ports; but a minimum for standard radius functionality and administrator access for SBR.  To further lock down the server, you should consult your Linux system administrator to find out which ports are required to be open for normal server administration and access.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search