cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1888
Views
0
Helpful
8
Replies

[RVS 4000] Setup secure ACL

keessince1988
Level 1
Level 1

I want to make an ACL that will allow the minum traffic. For example only; HTTP, DNS, SSH, FTP, TeamSpeak, Torrents.

This doesn't seem to be possible with the ACL on my Cisco Small Business RVS4000, I can only choose from predifined settings.

I can't setup my own source and destination IP's and ports. So that isn't very useful.

I might be wrong, so that's why I posted this threat. Is there a way to allow a mimimum traffic flow with the ACL?

When I only allow HTTP, DNS, etc. and deny the rest I can't use my TeamSpeak, MSN and Torrents anymore.

This is what I have now and which works, but isn't secure... Check the screenshot below. Below that is my iptables configuration, an ACL like that would be my idea of secure

acl.png

#!/bin/sh
IPTABLES=/sbin/iptables
MODPROBE=/sbin/modprobe
INT_NET=192.168.1.32/28
LO=127.0.0.0/8

#####################################################################
###   Flush existing rules and set chain policy setting to DROP   ###
#####################################################################
echo "[+] Flushing existing iptables rules..."
$IPTABLES -F
$IPTABLES -F -t filter
$IPTABLES -X
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

################################
###   KERNEL modifications   ###
################################
echo "[+] Setting up KERNEL modifications..."
$MODPROBE ip_conntrack
# Disable IP forwarding
echo 0 > /proc/sys/net/ipv4/ip_forward
# Enable IP spoofing protection
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $i; done
# Protect against SYN flood attacks
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

#######################
###   INPUT chain   ###
#######################
echo "[+] Setting up INPUT chain..."
### State tracking rules
$IPTABLES -A INPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options
$IPTABLES -A INPUT -m state --state INVALID -j DROP
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
### ACCEPT rules for allowing connections in
### Loopback
$IPTABLES -A INPUT -i lo -s $LO -d $LO -m state --state NEW -j ACCEPT
# SSH
$IPTABLES -A INPUT -p tcp --dport 22 --syn -m state --state NEW -m recent --set --name SSH
$IPTABLES -A INPUT -p tcp --dport 22 --syn -m state --state NEW -m recent --update --seconds 120 --hitcount 4 --rttl --name SSH -j DROP
$IPTABLES -A INPUT -p tcp --dport 22 --syn -m state --state NEW -j ACCEPT
### Anti-spoofing rules
$IPTABLES -A INPUT -d $INT_NET -j LOG --log-prefix "SPOOFED PACKET "
$IPTABLES -A INPUT -d $INT_NET -j DROP
### Default INPUT LOG rule
$IPTABLES -A INPUT ! -i lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options

########################
###   OUTPUT chain   ###
########################
echo "[+] Setting up OUTPUT chain..."
### State tracking rules
$IPTABLES -A OUTPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options
$IPTABLES -A OUTPUT -m state --state INVALID -j DROP
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
### ACCEPT rules for allowing connections out
# Loopback
$IPTABLES -A OUTPUT -o lo -s $LO -d $LO -m state --state NEW -j ACCEPT
# SSH
$IPTABLES -A OUTPUT -p tcp --dport 22 --syn -m state --state NEW -j ACCEPT
# Whois
$IPTABLES -A OUTPUT -p tcp --dport 43 --syn -m state --state NEW -j ACCEPT
# DNS
$IPTABLES -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
# HTTP
$IPTABLES -A OUTPUT -p tcp --dport 80 --syn -m state --state NEW -j ACCEPT
# NTP
$IPTABLES -A OUTPUT -p udp --dport 123 -m state --state NEW -j ACCEPT
# HTTPS
$IPTABLES -A OUTPUT -p tcp --dport 443 --syn -m state --state NEW -j ACCEPT
# MSN
$IPTABLES -A OUTPUT -p tcp --dport 1863 --syn -m state --state NEW -j ACCEPT
# RWhois
$IPTABLES -A OUTPUT -p tcp --dport 4321 --syn -m state --state NEW -j ACCEPT
# Google Talk
$IPTABLES -A OUTPUT -p tcp --dport 5222 --syn -m state --state NEW -j ACCEPT
# KTorrent
$IPTABLES -A OUTPUT -p tcp --dport 6881 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 6881 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 4444 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 4444 -m state --state NEW -j ACCEPT
# IRC
#$IPTABLES -A OUTPUT -p tcp --dport 6667 -m state --state NEW -j ACCEPT
# Teamspeak Voice
$IPTABLES -A OUTPUT -p udp --dport 9987 -m state --state NEW -j ACCEPT
# Teamspeak Serverquery
$IPTABLES -A OUTPUT -p tcp --dport 10011 --syn -m state --state NEW -j ACCEPT
# Teamspeak Update Server
#$IPTABLES -A OUTPUT -p udp --dport 17384 -m state --state NEW -j ACCEPT
# Teamspeak Filetransfer
$IPTABLES -A OUTPUT -p tcp --dport 30033 --syn -m state --state NEW -j ACCEPT
# Ping
$IPTABLES -A OUTPUT -s $INT_NET -p icmp --icmp-type echo-request -j ACCEPT
### Default OUTPUT LOG rule
$IPTABLES -A OUTPUT ! -o lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options

#########################
###   FORWARD chain   ###
#########################
echo "[+] Setting up FORWARD chain..."
### State tracking rules
$IPTABLES -A FORWARD -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options
$IPTABLES -A FORWARD -m state --state INVALID -j DROP
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
### Anti-spoofing rules
$IPTABLES -A FORWARD -d $INT_NET -j LOG --log-prefix "SPOOFED PACKET "
$IPTABLES -A FORWARD -d $INT_NET -j DROP
### Default FORWARD LOG rule
$IPTABLES -A FORWARD ! -i lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options

1 Accepted Solution

Accepted Solutions

Once being added to the service management table, a custom service should be available for a new ACL to reference. If the router does not behave this way, you might want to call the Small Business Support Center to open a bug report so the issue can be addressed.

View solution in original post

8 Replies 8

keessince1988
Level 1
Level 1

Nobody?

Try the following alias

https://supportforums.cisco.com/community/netpro/small-business/routers

It should have more experts to address the RVS4000 questions there.

This alias is more focusing on SA500.

Richard

This post has been moved the the Small Business Routers area by: Cindy Toy, Small Business Community Manager

Te-Kai Liu
Level 7
Level 7

You could define your own services in the Web Admin utility - see attached screenshots.

I explored that feature, but it doesn't feel like it's related to the rules I apply. For example I have these 3 rules now, when I go into that manager and I will define a port for SSH for example then that port is also in the manager for 'deny all'. So what's the clue? Do I have to give the ACL and the port definition the same name and then only those two are related to eachother? Because at this point the two menu's don't feel related.

PS: Thanks rshao

Without getting to specifics, here is a simple use case of ACL on RVS4000. I am trying to deny all LAN users' access to a particular IP address on the internet and only allow my PC (192.168.10.100) to be able to use the hypothetic service "TestService", which uses TCP port 6000.

I know that, but my question is from the start; do those two menu's interact? And how do they interact? Is it linked when I declare the service 'Custom_SSH' in the manager and then use 'Custom_SSH' in the ACL? Do they speak the same language? Because it doesn't feel like that.

Once being added to the service management table, a custom service should be available for a new ACL to reference. If the router does not behave this way, you might want to call the Small Business Support Center to open a bug report so the issue can be addressed.

Thanks! I didn't saw that

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: