Previous Index Next
ISCS version 0.1.1
The included upgrade scripts are not cumulative, i.e., you must follow the instructions for each upgrade between the version you are currently running and this version. For example, if upgrading from an ISCS version prior to 0.0.5, one must first perform the database updates described in the 0.0.5 upgrade instructions , 0.0.6 upgrade instructions and 0.0.6.2 upgrade instructions before executing the below instructions.
Version 0.0.6.3 includes a change to the firewall rule order for iptables based firewalls in order to accommodate transparent proxies. At this point, ISCS does not automate the implementation of transparent proxy; this must be done manually by entering the appropriate rules in the iptables.postboot.custom.local file on each PEP. The redirect rules should be added to the ProxyDNAT (or ProxySNAT) chains of the NAT table and not in the PREROUTING (or POSTROUTING) chains.
The below SPM instructions should be followed for every installation regardless of firewall type. The below PEP instructions only need to be followed for iptables based firewalls (including SecureComputing SG series devices).
These steps must be done for each installed SPM, i.e., the ISCS GUI configuration tool:
Copy the four files named iptables.chains, iptables.chains.b, iptables.boot.nat.b and iptables.boot.nat.b from the SPMdirs directory of the ISCS archive (wherever you untarred or unzipped the ISCS package) into the BaseFiles directory in the SPM installation directory. There is only one BaseFiles directory per SPM, i.e., there is not one for every DBD instance in those environments with multiple DBDs. For example:
cp /download/ISCS/SPMdirs/iptables.boot.nat.b /usr/local/SPM/BaseFiles/
The easiest way to upgrade the PEPs is to reinitialize each iptables based PEP by clicking on the reinitialize PEP check box in the PEP tab. This will automatically upgrade each PEP reinitialized PEP.
If this is not practical or desirable, each PEP can be manually edited. One should not do this unless one is expert at directly manipulating iptables.
Edit the iptables.chains file on each PEP by adding the following two lines to the *nat section:
Edit the iptables.boot file on each PEP by adding the following two lines to the *nat section:
-I ServiceSNAT 1 -j ProxySNAT
-I ServiceDNAT 1 -j ProxyDNAT
Edit the iptables.postboot.local file on each PEP by changing any line which reads:
-I ServiceSNAT 1 <any text>
-I ServiceSNAT 2 <the same text – do not change>
and any line which reads:
-I ServiceDNAT 1 <any text>
-I ServiceDNAT 2 <the same text – do not change>
(If you the PEP is an SG570 with a firmware version so old that it does not accept dynamic ISCS updates, you cannot use the iptables-restore syntax of the above changes and will need to use iptables syntax instead, i.e., preceed each of the above lines with "iptables -t nat " (without the quotation marks).)
Execute the iptables commands to create the new chains and jumps:
iptables -t nat -N ProxyDNAT
iptables -t nat -N ProxySNAT
iptables -t nat -I ServiceSNAT 1 -j ProxySNAT
iptables -t nat -I ServiceDNAT 1 -j ProxyDNAT
The PEP is now upgraded.
Previous Index Next