删除 所有策略 rmfilt -v 4 -n all 1、查看所有deny的策略,注意rule no 和端口地址 1,root@ODS_DB1[/tmp/ibmsupt]# lsfilt |grep -p 0.0.0.0 Beginning of IPv4 filter rules.
Rule 242: Rule action : deny Source Address : 0.0.0.0 Source Mask : 0.0.0.0 Destination Address : 192.168.10.188 Destination Mask : 255.255.255.255 Source Routing : yes Protocol : all Source Port : gt 1023 Destination Port : eq 50000 Scope : both Direction : both Logging control : no Fragment control : all packets Tunnel ID number : 0 Interface : all Auto-Generated : no Expiration Time : 0 Description :
Rule 243: Rule action : deny Source Address : 0.0.0.0 Source Mask : 0.0.0.0 Destination Address : 192.168.10.190 Destination Mask : 255.255.255.255 Source Routing : yes Protocol : all Source Port : gt 1023 Destination Port : eq 50000 Scope : both Direction : both Logging control : no Fragment control : all packets Tunnel ID number : 0 Interface : all Auto-Generated : no Expiration Time : 0 Description :
Rule 244: Rule action : deny Source Address : 0.0.0.0 Source Mask : 0.0.0.0 Destination Address : 192.168.10.190 Destination Mask : 255.255.255.255 Source Routing : yes Protocol : all Source Port : gt 1023 Destination Port : eq 23 Scope : both Direction : both Logging control : no Fragment control : all packets Tunnel ID number : 0 Interface : all Auto-Generated : no Expiration Time : 0 Description :
Rule 245: Rule action : deny Source Address : 0.0.0.0 Source Mask : 0.0.0.0 Destination Address : 192.168.10.188 Destination Mask : 255.255.255.255 Source Routing : yes Protocol : all Source Port : gt 1023 Destination Port : eq 23 Scope : both Direction : both Logging control : no Fragment control : all packets Tunnel ID number : 0 Interface : all Auto-Generated : no Expiration Time : 0 Description :
2 删除需要deny的策略代码(注意删除了一条策略后,会自动向前补一条。如果要删除需要重新查看后删除)
2,
root@ODS_DB1[/tmp/ibmsupt]# rmfilt -v 4 -n 242
Filter rule 242 for IPv4 has been removed successfully.
3、添加路由策略 注意IP地址 掩码 端口 3, genfilt -v 4 -a P -s 192.168.10.141 -m 255.255.255.255 -d 192.168.10.191 -M 255.255.255.255 -o gt -p 1023 -O eq -P 50000 genfilt -v 4 -a P -s 192.168.10.143 -m 255.255.255.255 -d 192.168.10.191 -M 255.255.255.255 -o gt -p 1023 -O eq -P 50000 genfilt -v 4 -a P -s 192.168.10.141 -m 255.255.255.255 -d 192.168.10.189 -M 255.255.255.255 -o gt -p 1023 -O eq -P 50000 genfilt -v 4 -a P -s 192.168.10.143 -m 255.255.255.255 -d 192.168.10.189 -M 255.255.255.255 -o gt -p 1023 -O eq -P 50000
4、添加 deny 路由规则和端口 4, genfilt -v 4 -a D -s 0.0.0.0 -m 0.0.0.0 -d 192.168.10.191 -M 255.255.255.255 -o gt -p 1023 -O eq -P 50000 genfilt -v 4 -a D -s 0.0.0.0 -m 0.0.0.0 -d 192.168.10.189 -M 255.255.255.255 -o gt -p 1023 -O eq -P 50000
5、更新路由规则 5, mkfilt -v 4 -u
6、查看时候生效(包含deny) 6, lsfilt |grep -p 192.168.10.141 lsfilt |grep -p 0.0.0.0
121 permit 192.168.10.0 255.255.255.224 136.5.9.51 255.255.255.255 yes all gt 1 eq 2201 both both no all packets 0 all 0 none
122 permit 192.168.10.245 255.255.255.255 136.5.9.51 255.255.255.255 yes all gt 1023 eq 2201 both both no all packets 0 all 0 none
123 deny 0.0.0.0 0.0.0.0 136.5.9.51 255.255.255.255 yes all gt 1 eq 2201 both both no all packets 0 all 0 none
121 permit 192.168.10.0 255.255.255.224 136.5.9.51 255.255.255.255 yes all gt 1 eq 2201 both both no all packets 0 all 0 none
122 permit 192.168.10.245 255.255.255.255 136.5.9.51 255.255.255.255 yes all gt 1023 eq 2201 both both no all packets 0 all 0 none
123 permit 192.168.10.178 255.255.255.0 136.5.9.51 255.255.255.255 yes all gt 1023 eq 2201 both both no all packets 0 all 0 none
124 deny 0.0.0.0 0.0.0.0 136.5.9.51 255.255.255.255 yes all gt 1 eq 2201 both both no all packets 0 all 0 none
genfilt -v 4 -n 123 -a P -s 192.168.10.178 -m 255.255.255.0 -d 136.5.9.51 -M 255.255.255.255 -o gt -p 1023 -O eq -P 2201
ps:如果需要一个段的IP 如