So there I was sitting here the other day, after a busy day of fire-fighting with the trojan infection that got into my network, and it occurred to me that I have a hardware firewall that I never use.
More’s the point, my router has very nice hardware firewall capabilities built into it that I simply wasn’t using, time to explore I thought………
If you look on E-bay these days you can pick up a lot of old Cisco networking gear very cheap, so I bought one, and not one of the re-badged linksys ones with the funky web-enabled control panel, but a real I-am telnet controlled one that the IT industry uses, so i set about figuring out how best to put it to use.
It all looks quite scary at first, but ACL’s (Access control lists) are not all that difficult once you get used to them, I did however have to ask help from a friend who pointed out that i needed to put an allow all at the end of my lists to allow through non-matched global traffic, this stopped me from locking myself out of the router and effectively killing all my internet traffic.
You need to understand a couple of concepts first, so for that a small diagram:
Every interface in a Cisco system has an IN direction and an OUT direction, quite exactly how this works I’ve no idea, I’m by no means a Cisco expert but I do have a little more than an average smattering of knowledge. The diagram is drawn to reflect this IN/OUT scenario, the way I understand it, so before you fully qualified Cisco types start yelling and screaming at me, this is a “joe schmo” interpretation of the subject and not fully fledged badge wearing CCNA explanation.
Back to the diagram… technically the dialler one interface also has an IN and OUT on it, and in fact all my inbound rules are currently tied to this as opposed to the ATM interface, because that’s simply how the built in HTTP set-up program created them.
For the purposes of this blog however, we’ll consider that the IN from the ATM interface is traffic coming to you from the WAN/Internet and the IN on ETH0 is the traffic going out from your LAN to the internet.
Once you get this clear, the ACL’s make sense.
Lets say, i wanted to allow any host to come into my router on any address using HTTP/WWW so that i could host a web server:
access-list 120 permit tcp any any eq www
you can replace the ‘www’ with any port number or label if the label is defined by your IOS version, so you could for example also allow inbound HTTPS
access-list 120 permit tcp any any eq 443
access-list 120 permit tcp any any eq 22
You can also set it so that ONLY certain hosts can connect, for example if you have a friendly IP at 220.127.116.11 and you only want to allow that host access to your web server:
access-list 120 permit tcp 18.104.22.168 0.0.0.0 any eq www
or, you may have 2 or 3 different IP address on your IN Wan interface, so you could make one host always use one address, and everyone else use the other:
access-list 120 permit tcp 22.214.171.124 0.0.0.0 192.168.1.1 0.0.0.0 eq www access-list 120 permit tcp any 192.168.1.2 eq www
The same also applies on your LAN side, you can for example prevent any machine in your subnet from accessing a certain IP address
access-list 121 deny ip 10.1.1.0 0.0.0.255 126.96.36.199 0.0.0.0
This would prevent any hosts in your address range of 10.1.1.0 -> 10.1.1.255 from accessing host 188.8.131.52, this range is archived by the mask after the address 0.0.0.255.
Any bits that are set, mean I don’t care, so the above mask states that the 10.1.1 bit should match, but it doesn’t care what the last octet is.
One last example:
Assume your mail host is 10.1.1.2 and you want ONLY that machine allowed to send out SMTP (This is a good thing so that workstations that may be infected with a spam zombie, can’t send SMTP)
access-list 121 permit tcp 10.1.1.2 0.0.0.0 any eq smtp access-list 121 deny tcp 10.1.1.0 0.0.0.255 any eq smtp access-list 121 permit ip any any
Don’t forget the ‘permit ip any any’ at the end of your list, this was what kept locking me out because I kept forgetting to include it, as I mentioned earlier in this now rather longer than I intended post 🙂
Once you’ve set your rules up, then you simply have to assign them to the correct interfaces:
interface Ethernet0 ip access-group 121 in interface ATM0 ip access-group 120 in
you can set them up on the out interface or others if you like, but I’ll leave that as an exercise to figure out, I’ve now got implemented on my LAN side rules that prevent rouge SMTP/POP3 traffic, a complete ban on all IRC and I’ve also specificity blocked a number of known hosts and ports that are used by malware authors and virus writers to control their creations.
If you can pick yourself a cheap Cisco router up off E-bay, or even just a firewall, it’s worth it in the long run (Even if you do still use a software firewall) to protect your home computers, and even help with peace of mind if you have youngsters accessing the internet, because you can use it to filter out undesirable websites.
At some point in the future I’ll write an article on using a programming language to control this router stuff