[RVS 4000] Setup secure ACL

Answered Question
Sep 23rd, 2010
User Badges:

I want to make an ACL that will allow the minum traffic. For example only; HTTP, DNS, SSH, FTP, TeamSpeak, Torrents.

This doesn't seem to be possible with the ACL on my Cisco Small Business RVS4000, I can only choose from predifined settings.

I can't setup my own source and destination IP's and ports. So that isn't very useful.


I might be wrong, so that's why I posted this threat. Is there a way to allow a mimimum traffic flow with the ACL?

When I only allow HTTP, DNS, etc. and deny the rest I can't use my TeamSpeak, MSN and Torrents anymore.


This is what I have now and which works, but isn't secure... Check the screenshot below. Below that is my iptables configuration, an ACL like that would be my idea of secure



acl.png




#!/bin/sh
IPTABLES=/sbin/iptables
MODPROBE=/sbin/modprobe
INT_NET=192.168.1.32/28
LO=127.0.0.0/8


#####################################################################
###   Flush existing rules and set chain policy setting to DROP   ###
#####################################################################
echo "[+] Flushing existing iptables rules..."
$IPTABLES -F
$IPTABLES -F -t filter
$IPTABLES -X
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP


################################
###   KERNEL modifications   ###
################################
echo "[+] Setting up KERNEL modifications..."
$MODPROBE ip_conntrack
# Disable IP forwarding
echo 0 > /proc/sys/net/ipv4/ip_forward
# Enable IP spoofing protection
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $i; done
# Protect against SYN flood attacks
echo 1 > /proc/sys/net/ipv4/tcp_syncookies


#######################
###   INPUT chain   ###
#######################
echo "[+] Setting up INPUT chain..."
### State tracking rules
$IPTABLES -A INPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options
$IPTABLES -A INPUT -m state --state INVALID -j DROP
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
### ACCEPT rules for allowing connections in
### Loopback
$IPTABLES -A INPUT -i lo -s $LO -d $LO -m state --state NEW -j ACCEPT
# SSH
$IPTABLES -A INPUT -p tcp --dport 22 --syn -m state --state NEW -m recent --set --name SSH
$IPTABLES -A INPUT -p tcp --dport 22 --syn -m state --state NEW -m recent --update --seconds 120 --hitcount 4 --rttl --name SSH -j DROP
$IPTABLES -A INPUT -p tcp --dport 22 --syn -m state --state NEW -j ACCEPT
### Anti-spoofing rules
$IPTABLES -A INPUT -d $INT_NET -j LOG --log-prefix "SPOOFED PACKET "
$IPTABLES -A INPUT -d $INT_NET -j DROP
### Default INPUT LOG rule
$IPTABLES -A INPUT ! -i lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options


########################
###   OUTPUT chain   ###
########################
echo "[+] Setting up OUTPUT chain..."
### State tracking rules
$IPTABLES -A OUTPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options
$IPTABLES -A OUTPUT -m state --state INVALID -j DROP
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
### ACCEPT rules for allowing connections out
# Loopback
$IPTABLES -A OUTPUT -o lo -s $LO -d $LO -m state --state NEW -j ACCEPT
# SSH
$IPTABLES -A OUTPUT -p tcp --dport 22 --syn -m state --state NEW -j ACCEPT
# Whois
$IPTABLES -A OUTPUT -p tcp --dport 43 --syn -m state --state NEW -j ACCEPT
# DNS
$IPTABLES -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
# HTTP
$IPTABLES -A OUTPUT -p tcp --dport 80 --syn -m state --state NEW -j ACCEPT
# NTP
$IPTABLES -A OUTPUT -p udp --dport 123 -m state --state NEW -j ACCEPT
# HTTPS
$IPTABLES -A OUTPUT -p tcp --dport 443 --syn -m state --state NEW -j ACCEPT
# MSN
$IPTABLES -A OUTPUT -p tcp --dport 1863 --syn -m state --state NEW -j ACCEPT
# RWhois
$IPTABLES -A OUTPUT -p tcp --dport 4321 --syn -m state --state NEW -j ACCEPT
# Google Talk
$IPTABLES -A OUTPUT -p tcp --dport 5222 --syn -m state --state NEW -j ACCEPT
# KTorrent
$IPTABLES -A OUTPUT -p tcp --dport 6881 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 6881 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 4444 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 4444 -m state --state NEW -j ACCEPT
# IRC
#$IPTABLES -A OUTPUT -p tcp --dport 6667 -m state --state NEW -j ACCEPT
# Teamspeak Voice
$IPTABLES -A OUTPUT -p udp --dport 9987 -m state --state NEW -j ACCEPT
# Teamspeak Serverquery
$IPTABLES -A OUTPUT -p tcp --dport 10011 --syn -m state --state NEW -j ACCEPT
# Teamspeak Update Server
#$IPTABLES -A OUTPUT -p udp --dport 17384 -m state --state NEW -j ACCEPT
# Teamspeak Filetransfer
$IPTABLES -A OUTPUT -p tcp --dport 30033 --syn -m state --state NEW -j ACCEPT
# Ping
$IPTABLES -A OUTPUT -s $INT_NET -p icmp --icmp-type echo-request -j ACCEPT
### Default OUTPUT LOG rule
$IPTABLES -A OUTPUT ! -o lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options


#########################
###   FORWARD chain   ###
#########################
echo "[+] Setting up FORWARD chain..."
### State tracking rules
$IPTABLES -A FORWARD -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options
$IPTABLES -A FORWARD -m state --state INVALID -j DROP
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
### Anti-spoofing rules
$IPTABLES -A FORWARD -d $INT_NET -j LOG --log-prefix "SPOOFED PACKET "
$IPTABLES -A FORWARD -d $INT_NET -j DROP
### Default FORWARD LOG rule
$IPTABLES -A FORWARD ! -i lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options

Correct Answer by Te-Kai Liu about 6 years 6 months ago

Once being added to the service management table, a custom service should be available for a new ACL to reference. If the router does not behave this way, you might want to call the Small Business Support Center to open a bug report so the issue can be addressed.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
keessince1988 Tue, 09/28/2010 - 00:58
User Badges:

I explored that feature, but it doesn't feel like it's related to the rules I apply. For example I have these 3 rules now, when I go into that manager and I will define a port for SSH for example then that port is also in the manager for 'deny all'. So what's the clue? Do I have to give the ACL and the port definition the same name and then only those two are related to eachother? Because at this point the two menu's don't feel related.


PS: Thanks rshao

Te-Kai Liu Tue, 09/28/2010 - 13:17
User Badges:
  • Gold, 750 points or more

Without getting to specifics, here is a simple use case of ACL on RVS4000. I am trying to deny all LAN users' access to a particular IP address on the internet and only allow my PC (192.168.10.100) to be able to use the hypothetic service "TestService", which uses TCP port 6000.

keessince1988 Wed, 09/29/2010 - 08:27
User Badges:

I know that, but my question is from the start; do those two menu's interact? And how do they interact? Is it linked when I declare the service 'Custom_SSH' in the manager and then use 'Custom_SSH' in the ACL? Do they speak the same language? Because it doesn't feel like that.

Correct Answer
Te-Kai Liu Wed, 09/29/2010 - 08:34
User Badges:
  • Gold, 750 points or more

Once being added to the service management table, a custom service should be available for a new ACL to reference. If the router does not behave this way, you might want to call the Small Business Support Center to open a bug report so the issue can be addressed.

Actions

This Discussion