Unblock icmp traffic windows 7. Fire arc. We protect ourselves from hackers using IPTABLES, IPFW and PF. Reset or allow traffic from specific MAC addresses
How can I configure computers running Windows 2000/XP/2003 to block Ping packets? Windows 2000/XP/2003 has a built-in IP security mechanism called IPSec (IP Security). IPSec is a protocol designed to protect individual TCP/IP packets as they are transmitted over a network.
However, we will not go into details about the functioning and design of IPsec, because in addition to encryption, IPSec can also protect your server or workstation with a mechanism similar to a firewall.
Blocking PING on a single computer
To block all PING packets from and to a computer, we need to create an IPSec policy that will block all ICMP traffic. First, check if your computer responds to ICMP requests:
To set up a single computer we need to follow these steps:
Let's configurelist of IP Filter Lists and Filter Actions
- Open an MMC window (Start > Run > MMC).
- Add the IP Security and Policy Management snap-in.
- Select which computer will be controlled by this policy - in our case it is a local computer. Click Close, then click Ok.
- Right-click on IP Security Policies in the left half of the MMC console. Select Manage IP Filter Lists and Filter Actions.
- You do not need to configure or create an IP filter for ICMP (the protocol in which PING works), since such a filter already exists by default - All ICMP Traffic.
However, you can configure an arbitrarily complex IP filter, for example, prohibit pinging your computer from all IPs, except for a few specific ones. In one of the next articles on IPSec, we will take a closer look at creating IP filters, stay tuned.
- In the Manage IP Filter Lists and Filter actions window, review your filters and if everything is in order, click on the Manage Filter Actions tab. Now we need to add a filter action that will block certain traffic, click Add.
- In the first welcome window, click Next.
- In the Filter Action Name field, enter Block and click Next.
- In Filter Action General Options, select Block, then click Next.
- Go back to the Manage IP Filter Lists and Filter actions window and review your filters and if everything is ok, click Close. You can add filters and filter actions at any time.
The next step is to configure the IPSec policy and apply it.
Configuring the IPSe policy
- In the same MMC console, right-click on IP Security Policies and select Create IP Security Policy.
- Skip the wizard's greeting by clicking Next.
- In the IP Security Policy Name field, enter a name appropriate to the case, for example “Block PING”. Click Next
- In the Secure Connection Requests window, uncheck the Active the Default Response Rule checkbox. Click Next
- Check the Edit properties checkbox and click Finish.
- We need to add IP filters and filter actions to the new IPSec policy. In the New IPSec Policy window, click Add
- Click Next.
- In the Tunnel Endpoint window, make sure the default value is selected and click Next.
Users are often annoyed by the slowness of the Internet. This especially applies to the large army of fans of online games. You can reduce potential delays by disabling the ping feature.
You will need
- - PC with Windows operating system installed;
- - Internet access.
Instructions
Instructions
Blocking ping responses in the OS can prevent ICMP packet flooding attacks, but most systems use this service for online monitoring (system monitoring). In my topic “Block Ping (ICMP) responses in Unix/Linux” I will tell you how you can still turn it off.
Blocking PING to a server is useful if the server is constantly facing some kind of DoS attack using the PING function. When using IPTables, we can simply stop blocking the passage of ICMP packets (actually, block PING) to the server. Before starting this, you need to have an idea of what Iptables are in Linux. Iptables is a firewall system with a set of rules that controls incoming and outgoing packets. By default, Iptables works without any rules, you can create, add, edit rules.
Disable Ping using iptables
An explanation of some of the parameters in iptables that are needed to create ICMP packet control rules:
A: Adds rules.
-D: Removes the rule from the table.
-p: Option to specify the protocol (where 'icmp').
--icmp-type: Option to specify the type.
-J: Go to chain.
Below, I will give clear examples.
How to block PING on a server with error messages?
Thus, you can partially block PING with the error message “Destination Port Unreachable”. Add the following Iptables rules to block PING with an error message:
# iptables -A INPUT -p icmp --icmp-type echo-request -j REJECT
Block PING on the server without any error messages.
To do this, use the command for IPtabels:
# iptables -A OUTPUT -p icmp --icmp-type echo-request -j DROP # iptables -A INPUT -p icmp --icmp-type echo-reply -j DROP
Blocks all incoming and outgoing ICMP packets on the server.
Allow Ping using iptables
If you blocked ping on the server and don’t know how to get it back. Now I’ll tell you how to do it. This is done by adding the following rule to IPtables:
# iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT # iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
These rules will allow the passage of ICMP packets from and to the server.
Blocking Ping with Kernel Parameters
We can also block ping responses directly with kernel parameters. You can block ping replies temporarily or permanently and below shows how to do this.
Temporarily block Ping
You can temporarily block ping replies using the following command
# echo "1" >
To unblock this command, run the following:
# echo 0 >/proc/sys/net/ipv4/icmp_echo_ignore_all
Deny Ping altogether
You can block ping responses by adding the following parameter to the configuration file:
# vim /etc/sysctl.conf
And write:
[...] net.ipv4.icmp_echo_ignore_all = 1 [...]
sysctl is used to change kernel parameters at runtime, one of these parameters could be "ping daemon", if you want to disable ping then you just have to do something like:
# sysctl -w net.ipv4.icmp_echo_ignore_all=1
Now try to ping the machine, there are no responses, right? To re-enable ping, use:
# sysctl -w net.ipv4.icmp_echo_ignore_all=0
The W flag is used if you want to change some settings.
Now run the following command to immediately apply the settings without rebooting the system:
# sysctl -p
# sysctl --system
Here is my full config:
# cd /usr/local/src && wget http://site/wp-content/uploads/files/sysctl_conf.txt
and then you can do:
# cp /usr/local/src/sysctl_conf.txt /etc/sysctl.conf
That's all for me, the topic “Block Ping (ICMP) responses in Unix/Linux” is completed.
The firewall on a Linux system is controlled by the iptables program (for ipv4) and ip6tables (for ipv6). This cheat sheet covers the most common ways to use iptables for those who want to protect their system from hackers or just understand the setup.
The # sign means that the command is executed as root. Open a console with root rights in advance - sudo -i on Debian-based systems or su on others.
1. Show status.
# iptables -L -n -v
Sample command output for an inactive firewall:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes ) pkts bytes target prot opt in out source destination
For an active firewall:
Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 394 43586 ACCEPT all -- * * 0.0. 0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 93 17292 ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0 1 142 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- * * 0.0.0.0/0 0.0 .0.0/0 state INVALID 0 0 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0 /0 state RELATED,ESTABLISHED 0 0 wanin all -- vlan2 * 0.0.0.0/0 0.0.0.0/0 0 0 wanout all -- * vlan2 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 425 packets, 113K bytes) pkts bytes target prot opt in out source destination Chain wanin (1 references) pkts bytes target prot opt in out source destination Chain wanout (1 references ) pkts bytes target prot opt in out source destination
Where:
-L: Show list of rules.
-v: Display additional information. This option shows the interface name, options, TOS masks. Also displays the suffixes "K", "M" or "G".
-n: Display the IP address and port as numbers (without using DNS servers to resolve names. This will speed up the display).
2. Display a list of rules with line numbers.
# iptables -n -L -v --line-numbers
Sample output:
Chain INPUT (policy DROP) num target prot opt source destination 1 DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID 2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 4 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP) num target prot opt source destination 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 2 DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID 3 TCPMSS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU 4 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 5 wanin all -- 0.0.0.0/0 0.0.0.0/0 6 wanout all -- 0.0.0.0/0 0.0.0.0/0 7 ACCEPT all - - 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT) num target prot opt source destination Chain wanin (1 references) num target prot opt source destination Chain wanout (1 references) num target prot opt source destination
You can use line numbers to add new rules.
3. Display INPUT or OUTPUT of the rule chain.
# iptables -L INPUT -n -v
# iptables -L OUTPUT -n -v --line-numbers
4. Stop, start, restart the firewall.
By the forces of the system itself:
# service ufw stop
# service ufw start
You can also use iptables commands to stop the firewall and remove all rules:
# iptables -F
# iptables -X
# iptables -t nat -F
# iptables -t nat -X
# iptables -t mangle -F
# iptables -t mangle -X
# iptables -P INPUT ACCEPT
# iptables -P OUTPUT ACCEPT
# iptables -P FORWARD ACCEPT
Where:
-F: Flush all rules.
-X: Delete the chain.
-t table_name: Select a table (nat or mangle) and remove all rules.
-P: Select default actions (such as DROP, REJECT, or ACCEPT).
5. Delete firewall rules.
To display the line number with existing rules:
# iptables -L OUTPUT -n --line-numbers
# iptables -L OUTPUT -n --line-numbers | less
# iptables -L OUTPUT -n --line-numbers | grep 202.54.1.1
Let's get a list of IP addresses. Just look at the number on the left and delete the corresponding line. For example, for number 3:
# iptables -D INPUT 3
Or find the source IP address (202.54.1.1) and remove it from the rule:
# iptables -D INPUT -s 202.54.1.1 -j DROP
Where:
-D: Remove one or more rules from the chain.
6. Add a rule to the firewall.
To add one or more rules to a chain, we first display the list using line numbers:
# iptables -L INPUT -n --line-numbers
Sample output:
Chain INPUT (policy DROP) num target prot opt source destination 1 DROP all -- 202.54.1.1 0.0.0.0/0 2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED
To insert a rule between lines 1 and 2:
# iptables -I INPUT 2 -s 202.54.1.2 -j DROP
Let's check if the rule has been updated:
# iptables -L INPUT -n --line-numbers
The output will be like this:
Chain INPUT (policy DROP) num target prot opt source destination 1 DROP all -- 202.54.1.1 0.0.0.0/0 2 DROP all -- 202.54.1.2 0.0.0.0/0 3 ACCEPT all -- 0.0.0.0/0 0.0. 0.0/0 state NEW,ESTABLISHED
7. Save the firewall rules.
Via iptables-save:
# iptables-save > /etc/iptables.rules
8. Restoring the rules.
Via iptables-restore
# iptables-restore
9. Set default policies.
To reset all traffic:
# iptables -P INPUT DROP
# iptables -P OUTPUT DROP
# iptables -P FORWARD DROP
# iptables -L -v -n
After the above commands, not a single packet will leave this host.
# ping google.com
10. Block only incoming connections.
To drop all incoming packets not initiated by you, but allow outgoing traffic:
# iptables -P INPUT DROP
# iptables -P FORWARD DROP
# iptables -P OUTPUT ACCEPT
# iptables -A INPUT -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -L -v -n
Outgoing packets and those that were remembered within established sessions are allowed.
# ping google.com
11. Reset addresses of isolated networks on a public network.
# iptables -A INPUT -i eth1 -s 192.168.0.0/24 -j DROP
List of IP addresses for isolated networks:
10.0.0.0/8 -j (A)
172.16.0.0/12 (B)
192.168.0.0/16 (C)
224.0.0.0/4 (MULTICAST D)
240.0.0.0/5 (E)
127.0.0.0/8 (LOOPBACK)
12. Blocking a specific IP address.
To block a 1.2.3.4 attacker's address:
# iptables -A INPUT -s 1.2.3.4 -j DROP
# iptables -A INPUT -s 192.168.0.0/24 -j DROP
13. Block incoming port requests.
To block all incoming requests on port 80:
# iptables -A INPUT -p tcp --dport 80 -j DROP
# iptables -A INPUT -i eth1 -p tcp --dport 80 -j DROP
To block port 80 request from address 1.2.3.4:
# iptables -A INPUT -p tcp -s 1.2.3.4 --dport 80 -j DROP
# iptables -A INPUT -i eth1 -p tcp -s 192.168.1.0/24 --dport 80 -j DROP
14. Block requests to the outgoing IP address.
To block a specific domain, find out its address:
# host -t a facebook.com
Conclusion: facebook.com has address 69.171.228.40
Let's find the CIDR for 69.171.228.40:
#whois 69.171.228.40 | grep CIDR
Conclusion:
CIDR: 69.171.224.0/19
Let's block access to 69.171.224.0/19:
# iptables -A OUTPUT -p tcp -d 69.171.224.0/19 -j DROP
You can also use a domain to block:
# iptables -A OUTPUT -p tcp -d www.facebook.com -j DROP
# iptables -A OUTPUT -p tcp -d facebook.com -j DROP
15. Record the event and reset.
To log the movement of packets before resetting, add a rule:
# iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j LOG --log-prefix "IP_SPOOF A: "
# iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP
Let's check the log (by default /var/log/messages):
# tail -f /var/log/messages
# grep -i --color "IP SPOOF" /var/log/messages
16. Record the event and reset (with a limit on the number of records).
To avoid filling the partition with a bloated log, we limit the number of entries using -m. For example, to record a maximum of 7 lines every 5 minutes:
# iptables -A INPUT -i eth1 -s 10.0.0.0/8 -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "IP_SPOOF A: "
# iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP
16. Reset or allow traffic from certain MAC addresses.
# iptables -A INPUT -m mac --mac-source 00:0F:EA:91:04:08 -j DROP
## *allow only for TCP port # 8080 from mac address 00:0F:EA:91:04:07 * ##
# iptables -A INPUT -p tcp --destination-port 22 -m mac --mac-source 00:0F:EA:91:04:07 -j ACCEPT
17. Allow or deny ICMP Ping requests.
To disable ping:
# iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
# iptables -A INPUT -i eth1 -p icmp --icmp-type echo-request -j DROP
Allow for specific networks/hosts:
# iptables -A INPUT -s 192.168.1.0/24 -p icmp --icmp-type echo-request -j ACCEPT
Allow only part of ICMP requests:
### ** assumes default inbound policies are set to DROP ** ###
# iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
# iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
# iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
## ** allow us to respond to the request ** ##
# iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
18. Open a range of ports.
# iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 7000:7010 -j ACCEPT
19. Open a range of addresses.
## allow connections to port 80 (Apache) if the address is in the range from 192.168.1.100 to 192.168.1.200 ##
# iptables -A INPUT -p tcp --destination-port 80 -m iprange --src-range 192.168.1.100-192.168.1.200 -j ACCEPT
## example for nat ##
# iptables -t nat -A POSTROUTING -j SNAT --to-source 192.168.1.20-192.168.1.25
20. Close or open standard ports.
Replace ACCEPT with DROP to block the port.
## ssh tcp port 22 ##
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 22 -j ACCEPT
## cups (printing service) udp/tcp port 631 for local network ##
iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 631 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 631 -j ACCEPT
## time sync via NTP for local network (udp port 123) ##
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 123 -j ACCEPT
## tcp port 25 (smtp) ##
iptables -A INPUT -m state --state NEW -p tcp --dport 25 -j ACCEPT
# dns server ports ##
iptables -A INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT
## http/https www server port ##
iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
## tcp port 110 (pop3) ##
iptables -A INPUT -m state --state NEW -p tcp --dport 110 -j ACCEPT
## tcp port 143 (imap) ##
iptables -A INPUT -m state --state NEW -p tcp --dport 143 -j ACCEPT
## Samba file server for local network ##
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 137 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 138 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 139 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 445 -j ACCEPT
## proxy server for local network ##
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 3128 -j ACCEPT
## mysql server for local network ##
iptables -I INPUT -p tcp --dport 3306 -j ACCEPT
21. Limit the number of parallel connections to the server for one address.
For restrictions, the connlimit module is used. To allow only 3 ssh connections per client:
# iptables -A INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 3 -j REJECT
Set the number of HTTP requests to 20:
# iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 --connlimit-mask 24 -j DROP
Where:
--connlimit-above 3: Specifies that the rule only applies if the number of connections exceeds 3.
--connlimit-mask 24: Specifies the network mask.
Help with iptables.
To find help with iptables, use man:
$ man iptables
To view help for specific commands and goals:
# iptables -j DROP -h
Checking the iptables rule.
Checking open/closed ports:
# netstat -tulpn
We check the openness/closedness of a specific port:
# netstat -tulpn | grep:80
Let's check that iptables allows connection to port 80:
# iptables -L INPUT -v -n | grep 80
Otherwise, let's open it to everyone:
# iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
Check using telnet
$ telnet ya.ru 80
You can use nmap to check:
$ nmap -sS -p 80 ya.ru
Iptables is a great tool in the hands of an administrator. If you need to easily and simply protect yourself on desktop Ubuntu, then you should know that there is a convenient console add-on for iptables called UFW, and there is a graphical program for it called GUFW. Video material will help you make your Ubuntu even more secure.
So, let's continue to deal with ACLs. This time, we have extended ACLs. We will take the topology from the previous article, I hope you have studied it thoroughly. If this is not the case, then I highly recommend reading it so that the materials in this article are more understandable.
First of all, I'll start with what extended ACLs are. Extended ACLs allow you to specify the protocol, destination address, and ports in addition to the source address. As well as special parameters of a certain protocol. It’s best to learn from examples, so let’s create a new task, complicating the previous one. By the way, someone might be interested in dealing with the issues of traffic distribution by priority after this; I recommend QoS Classification and Marking a good article, albeit in English. Well, for now, let's return to our task:
Task.
- Allow echo requests from network hosts 192.168.0.0/24 to the server.
- From the server – prohibit echo requests to the internal network.
- Allow WEB access to the server from node 192.168.0.11.
- Allow FTP access from host 192.168.0.13 to the server.
Complex task. We will also solve it comprehensively. First of all, I’ll look at the syntax for using an extended ACL.
Extended ACL options
<номер от 100 до 199> <действие permit, deny> <протокол> <источник> <порт> <назначение> <порт> <опции>
Port numbers are indicated only for TCP / UDP protocols, of course. There can also be prefixes eq(port number equal to the specified one), gt/lt(port number is greater/smaller than specified), neq(port number is not equal to the specified one), range(port range).
Named ACLs
By the way, access lists can not only be numbered, but also named! Perhaps this method will seem more convenient to you. This time we will do exactly that. These commands are executed in the context of global configuration and the syntax is:
Router(config)#ip access-list extended<имя>
So, let's start forming the rules.
- Allowing pings from the network 192.168.0.0/24
to the server. So, echo-requests are a protocol ICMP, we will select our subnet as the source address, the server address as the destination address, the message type – on the incoming interface echo, at the exit - echo-reply. Router(config)#ip access-list extended INT_IN Router(config-ext-nacl)#permit icmp 192.168.0.0 0.0.0.255 host 10.0.0.100 echo Oops, what's wrong with the subnet mask? Yes, this is a trick ACL. So-called WildCard-mask. It is calculated as the inverse mask from the usual one. Those. 255.255.255.255
- Subnet mask. In our case, the subnet 255.255.255.0
, after subtraction what remains is just 0.0.0.255
.I think this rule does not need explanation? Protocol icmp, source address – subnet 192.168.0.0/24
, destination address – host 10.0.0.100, message type – echo(request). By the way, it is easy to notice that host 10.0.0.100 equivalent 10.0.0.100 0.0.0.0
.We apply this rule to the interface. Router(config)#int fa0/0
Router(config-if)#ip access-group INT_IN in Well, something like that. Now, if you check the pings, it’s easy to see that everything is working fine. Here, however, one surprise awaits us, which will emerge a little later. I won't reveal it yet. Who guessed it - well done! - From the server – we prohibit all echo requests to the internal network (192.168.0.0/24). We define a new named list, INT_OUT, and attach it to the interface closest to the server.
Router(config)#ip access-list extended INT_OUT
Router(config-ext-nacl)#deny icmp host 10.0.0.100 192.168.0.0 0.0.0.255 echo
Router(config-ext-nacl)#exit
Router(config)#int fa0/1
Router(config-if)#ip access-group INT_OUT in
Let me explain what we did. Created an extended access list named INT_OUT, disabling the protocol in it icmp with type echo from host 10.0.0.100 per subnet 192.168.0.0/24 and applied to the interface input fa0/1, i.e. closest to the server. We are trying to send ping from the server.
SERVER>ping 192.168.0.11
Pinging 192.168.0.11 with 32 bytes of data:
Reply from 10.0.0.1: Destination host unreachable.
Reply from 10.0.0.1: Destination host unreachable.
Reply from 10.0.0.1: Destination host unreachable.
Ping statistics for 192.168.0.11:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)
Well, it seemed to work as it should. For those who don’t know how to send pings, click on the node that interests us, for example, a server. Go to the Desktop tab, there Command Prompt. And now, the promised joke. Try sending a ping from the host, as in the first point. PC>ping 10.0.0.100
Pinging 10.0.0.100 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.Here's one for you. Everything just worked! Why did it stop? This is the promised surprise. I explain what the problem is. Yes, the first rule has not gone away. It does allow an echo request to be sent to the server node. But where is the permission to pass echo responses? He's gone! We send a request, but we cannot accept a response! Why did everything work before? We didn't have an ACL on the interface back then. fa0/1. And since there is no ACL, then everything is allowed. You will have to create a rule to allow the reception of icmp replies.
Add to the INT_OUT list
Let's add the same to the INT_IN list.
Router(config-ext-nacl)#permit icmp host 10.0.0.100 192.168.0.0 0.0.0.255 echo-reply
Now don't complain. Everything is going great!
- We allow WEB access to the server from node *.11. We do the same! Here, however, you need to know a little about how calls occur via layer 4 protocols (TCP, UDP). The client port is selected arbitrarily > 1024, and the server port is selected corresponding to the service. For WEB, this is port 80 (http protocol). What about the WEB server? By default, the WEB service is already installed on the server, you can see it in the node settings. Make sure there is a check mark. And you can connect to the server by selecting the “Web Browser” shortcut on the “Desktop” of any node. Of course, there will be no access now. Because we have ACLs on the router interfaces, and they do not have any permission rules for access. Well, let's create an INT_IN access list (which is on the interface fa0/0) add the rule: Router(config-ext-nacl)#permit tcp host 192.168.0.11 gt 1024 host 10.0.0.100 eq 80 That is, we allow the TCP protocol from our host (arbitrary port, > 1024) to the server address, HTTP port.
And, of course, the opposite rule is in the INT_OUT list (which is on the interface fa0/1):
Router(config-ext-nacl)#permit tcp host 10.0.0.100 eq 80 host 192.168.0.11 established
That is, we allow TCP from the port 80 servers per host *.11 , and the connection should already be established! Maybe instead established indicate the same GT 1024, will work just as well. But the meaning is a little different.
Answer in the comments what would be safer?
- We allow FTP access from a *.13 node to the server. It’s also absolutely nothing complicated! Let’s look at how interaction occurs via the FTP protocol. In the future, I plan to devote a whole series of articles to the work of different protocols, since this is very useful in creating precise (sniper) ACL rules. Well, for now: Server and client actions:+ The client tries to establish a connection and sends a packet (which contains an indication that it will work in passive mode) to port 21 of the server from its port X (X > 1024, free port) + The server sends a response and reports its port number to form a channel data Y (Y > 1024) to client port X, extracted from the TCP packet header.+ The client initiates a communication to transfer data on port X+1 to server port Y (taken from the header of the previous transaction). Something like this. It sounds a little complicated, but you just need to figure it out! Add the rules to the INT_IN list:
permit tcp host 192.168.0.13 gt 1024 host 10.0.0.100 eq 21
permit tcp host 192.168.0.13 gt 1024 host 10.0.0.100 gt 1024And add rules to the INT_OUT list:
permit tcp host 10.0.0.100 eq ftp host 192.168.0.13 gt 1024
permit tcp host 10.0.0.100 gt 1024 host 192.168.0.13 gt 1024We check from the command line with the command ftp 10.0.0.100, where we log in using our credentials cisco:cisco(taken from the server settings), enter the command there dir and we will see that the data, as well as the commands, are transmitted successfully.
That's about all that concerns extended access lists.
So, let's look at our rules:
Router#sh access
Extended IP access list INT_IN
permit icmp 192.168.0.0 0.0.0.255 host 10.0.0.100 echo (17 match(es))
permit icmp host 10.0.0.100 192.168.0.0 0.0.0.255 echo-reply
permit tcp host 192.168.0.11 gt 1024 host 10.0.0.100 eq www (36 match(es))
permit tcp host 192.168.0.13 gt 1024 host 10.0.0.100 eq ftp (40 match(es))
permit tcp host 192.168.0.13 gt 1024 host 10.0.0.100 gt 1024 (4 match(es))
Extended IP access list INT_OUT
deny icmp host 10.0.0.100 192.168.0.0 0.0.0.255 echo (4 match(es))
permit icmp host 10.0.0.100 192.168.0.0 0.0.0.255 echo-reply (4 match(es))
permit tcp host 10.0.0.100 eq www host 192.168.0.11 established (3 match(es))
permit tcp host 10.0.0.100 eq ftp host 192.168.0.13 gt 1024 (16 match(es))
permit tcp host 10.0.0.100 gt 1024 host 192.168.0.13 gt 1024 (3 match(es))
