|
|
This section permits sets of IP filtering rules to be defined, edited and identified with specific names. The named set of filtering rules may then be associated with either the IP input or output filtering attributes of an interface (See the IP section). This allows the router to accomplish IP packet filtering on packets inbound to and outbound from a router. This method allows the greatest flexibility since common rules may be established and applied independently to the inbound and outbound interfaces.
edit config IP Filter "Name"
"Name" | A unique name, up to 16 characters with spaces allowed, for this filter set. |
Due to the nature of the IP protocol, IP packet filtering can be quite complicated. If you are attempting to design and implement a comprehensive set of filters, or an Internet firewall, there are a number of references you should consult. Please see the references cited at the end of this section.
The rules are applied in the order they were written. When you select multiple filter sets for an interface, they are read from first to last as you entered them.
When you specify a rule, even if it is only a deny rule, the concentrator rejects all other packets unless you specifically allow them. To allow all other packets not filtered, make the last rule:
permit 0.0.0.0 0.0.0.0 ip
For example, if you only want to deny packets from IP address 192.67.89.3, enter two lines:
deny 192.67.89.3 0.0.0.0 permit 0.0.0.0 0.0.0.0 ip
After entering the edit config command, and then the append command, enter one or more filter rules using the following syntax:
{permit | deny} src_IP_address[/bits] dst_IPaddress[/bits] [protocol] [log | icmp]
permit | deny |
| |||||
src_IP_address[/bits] dst_IPaddress[/bits] | The router compares the source and destination addresses in a packet with the addresses you entered here. You can specify IP addresses in the following ways:
/ bits denotes the number of bits that are significant when doing the comparison against the addresses from the IP packet. For example, an address specified as 192.15.32.0/19 matches all host addresses from 192.15.32.1 to 192.15.63.255. | |||||
protocol | protocol can be one of the following values: {IP | TCP [src operator port] [dst operator port] [est] | UDP [src operator port] [ dst operator port] | ICMP [type operator port] | GRE | AH | ESP | OSPF | proto operator protocol_number}The packet matches the filter if it matches the protocol as well as the source and destination address. If the protocol has an optional operator and port, the packet must match the protocol as well as the port range. By default, the protocol is IP. Make sure you allow VPN traffic through. | |||||
| Specifies the port range. The operator can have one of the following functions to match a packet's port number: | |||||
|
|
| ||||
| port can be a decimal number between 0 and 65,535. You can also use one of the following keywords. The keywords are followed by their port numbers.
| |||||
| TCP Ports
systat (11) | UDP Ports
name (42) | Common UDP and TCP Ports
echo (7) | ICMP Types
echo-reply (0) | ||
| For TCP, specifies that an external connection to a particular port is not allowed, but two-way traffic established by an internal machine can pass through the device. The device performs this operation by examining the flags in the TCP header. When a session is being established, the first packet only contains the "SYN" flag while subsequent packets contain the "ACK" flag. A permit packet filter rule using the est keyword will not match a packet with only the "SYN" flag and the packet will be dropped. Unless another rule allows it through, the "SYN" packet doesn't reach its destination, no reply will be returned to the sender, and a connection will never be established. See [Chapman 1995] pgs. 8-9 and the examples section found later in this section. | |||||
| Allows filtering of any protocol by number, including protocols that do not have keywords. You can also specify multiple protocols using an operator. For example, the following protocols have these numbers: ICMP (1), TCP (6), UDP (17), GRE (47), ESP (50), AH (51), OSPF (89) | |||||
log | icmp |
| |||||
Drop all packets with the source host address 192.15.1.10.
deny 192.15.1.10 0.0.0.0
Drop all packets with a source network address of 192.15.1.0. All packets from hosts on that network would be denied.
deny 192.15.1.0/24 0.0.0.0
Allow only inbound and outbound mail from 192.15.14.1.
The input-filter:
permit 0.0.0.0 192.15.14.1 TCP src >= 1024 dst = 25 permit 0.0.0.0 192.15.14.1 TCP src = 25 dst >= 1024
The output-filter:
permit 192.15.14.1 0.0.0.0 TCP src = 25 dst >= 1024 permit 192.15.14.1 0.0.0.0 TCP src >= 1024 dst = 25
These sets of rules are intended to filter out all traffic and only allow incoming and outgoing mail to a server inside a net with an IP address of 192.15.14.1. However, these rules aren't enough to prevent an attack from someone with access to port 25. They can initiate a connection to ports greater than 1024 according to the second rule in the input filter. To prevent this from happening, add the est flag to the second rule. So it would look like:
permit 0.0.0.0 192.15.14.1 TCP src = 25 dst >= 1024 est
This rule now tells the router to only check TCP packets where the connection is already established. This can be done because TCP packets will only have the "SYN" flag set when a session is being established. After they are established, this flag isn't set. In other words, if a connection is trying to be established for the outside at port 25, the rule won't be applied and the connection can't be established since the packet will be dropped by the default rule.
To augment the descriptions and examples above, the following application of IP filtering is provided. This application assumes that the example organization has several Class C IP networks including 192.15.9.0, 192.15.10.0 and 192.15.11.0. The organization also has an Internet connection through a separate router on the 192.15.9.0 network. That network and the rest of the Internet are considered insecure.
First, a set of input filter rules to be applied on all packets from the insecure network is defined and shown below as ip-in. The only TCP services this rule set permits access to are SMTP (mail) and NNTP (Usenet news). All break-in attempts (deny's) and permitted news requests are logged. On the UDP side, everything but DNS, NFS, RPC (portmapper), and mount requests are allowed. All other IP traffic is let through.
[ IP Filter "ip-in" ] # Explicitly permit these services permit 0.0.0.0 0.0.0.0 tcp dst = smtp permit 0.0.0.0 0.0.0.0 tcp dst = nntp log # Deny access to all other services below port 1024 deny 0.0.0.0 0.0.0.0 tcp dst <= 1024 log # Lock out access to our X Servers permit 0.0.0.0 0.0.0.0 tcp dst < 6000 permit 0.0.0.0 0.0.0.0 tcp dst > 6100 deny 0.0.0.0 0.0.0.0 tcp log # Deny access to specific UDP services deny 0.0.0.0 0.0.0.0 udp dst = dns log deny 0.0.0.0 0.0.0.0 udp dst = nfs log deny 0.0.0.0 0.0.0.0 udp dst = rpc log deny 0.0.0.0 0.0.0.0 udp dst = mount log # Let everything else through permit 0.0.0.0 0.0.0.0 ip
In the real world, there are some hosts which are trusted (at least a little) that are on the insecure side of the router. The following rule set permits specific access from that host to the network. In this case, the host, 192.15.9.99, needs access to the secured DNS, telnet and mail services. Telnet is further restricted to only a few hosts on the secure side.
This is the gw-host rule set.
[ IP Filter "gw-host" ]
permit 192.15.9.99 0.0.0.0 udp dst = dns
permit 192.15.9.99 192.15.10.{5,15,16} tcp dst = telnet
permit 192.15.9.99 0.0.0.0 tcp dst = mail
Often there are some hosts from which all packets going through the interface should be filtered. These hosts might be local hosts containing sensitive data that should be considered invisible to the insecure network. Or they might be hosts from the insecure side that have been known to cause trouble in the past. This is the servers rule set.
[ IP Filter "servers" ]
deny 192.15.11.{100,101} 0.0.0.0 log
deny 0.0.0.0 192.15.11.{100,101} log
After the first command is entered, whether it is permit or deny, the default rule says that everything else will be denied. Therefore, a rule permitting everything is required. This is the permit all else rule set.
# The router filters everything by default, sometimes # this isn't what we want... [ IP Filter "permit all else" ] permit 0.0.0.0 0.0.0.0 ip
Each IP interface in the router may have up to 4 input and output filtering rule sets. Filter sets are associated with an interface in the IP section. Here is how the rules described above would be applied to the interface of the insecure net.
[ IP Ethernet 2:0 ] Mode = Routed IPAddress = 192.15.9.1 InFilters = servers gw-host ip-in OutFilters = servers "permit all else"
In this case, the interface "Ethernet 3" is attached to a small net with a gateway router and a few server hosts that run FTP, mail, DNS, and web servers. The rest of the interfaces are attached to secure internal networks. All traffic to or from the secure hosts 192.15.11.100 and 192.15.11.101 is totally blocked through this interface. All other hosts on the secure side may connect to any service on any insecure host, but the only insecure connections they will receive will be mail and netnews.
[Chapman, 1995]
[Cheswick, 1994]
| Command | Description |
|---|---|
configure IP | Configures IP parameters for an interface |
configure Logging | Configures logging options |
Posted: Wed Sep 27 10:56:18 PDT 2000
Copyright 1989-2000©Cisco Systems Inc.