access-list

nat · lun 29 dic , 2008 9:59 pm

Ciao a tutti ,ho config un soho 77 tutto va bene solo che quando applico alcune regole all'interfaccia dialer0 101 in ,traffico abilitato ad entrare da internet,non si esce più, allego una parte di config:

interface Dialer0
ip address negotiated
ip access-group 101 in
ip mtu 1492

access-list 101 deny ip 0.0.0.0 0.255.255.255 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip 169.254.0.0 0.0.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.0.2.0 0.0.0.255 any
access-list 101 deny ip 192.168.1.0 0.0.255.255 any
access-list 101 deny ip 198.18.1.0 0.1.255.255 any
access-list 101 deny ip 224.0.0.0 0.15.255.255 any
access-list 101 deny ip any host 255.255.255.255
access-list 101 permit gre any any
access-list 101 deny icmp any any echo
access-list 101 deny ip any any log

show log
Dec 29 20:41:36.240: %SEC-6-IPACCESSLOGDP: list 101 denied icmp 74.125.43.99 -> 79.46.180.100 (0/0), 1 packet
Dec 29 20:41:42.828: %SEC-6-IPACCESSLOGP: list 101 denied udp 192.43.244.18(123) -> 79.46.180.100(123), 1 packet
Dec 29 20:41:45.132: %SEC-6-IPACCESSLOGP: list 101 denied udp 207.46.197.32(123) -> 79.46.180.100(123), 1 packet

PPPoA#sh access-lists 101
Extended IP access list 101
10 permit udp host 208.67.222.222 eq domain any (2 matches)
20 permit udp host 151.99.125.1 eq domain any
30 permit gre any any
40 deny icmp any any echo
50 deny ip any any log (74 matches)

Qualcosa di mostruoso stò sbagliando qualcuno può aiutarmi a capire?
Saluti.

netrix · lun 29 dic , 2008 11:28 pm

Beh, se permetti ai soli pacchetti gre di entrare...
Prova a mettere i seguenti permit:

permit tcp any any gt 1023 established

permit udp any eq domain any

Ciao

Wizard · mar 30 dic , 2008 10:55 am

Si, se blocchi tutto alla fine nn tornano + indietro i pacchetti...
Quindi, o fai come dice nat e permetti le connessioni estabilished oppure (meglio) abiliti ip inspect in uscita (se la ios lo permette)

nat · mar 30 dic , 2008 12:39 pm

Innanzitutto grazie mille per le risposte, non posso abilitare ip inspect così ho messo le regole come consigliato da netrix, cosi è ok ,ho solo il dubbio che
non sò se ho applicato nella seguenza giusta

access-list 101 permit tcp any any gt 1023 established
access-list 101 permit udp any eq domain any
access-list 101 deny icmp any any echo
access-list 101 deny ip any any log

inoltre se è possibile mi piacerebbe sapere la funzione di gt 1023 established

grazie di nuovo a tutti

Wizard · mar 30 dic , 2008 1:11 pm

Metti così:

Codice: Seleziona tutto

no access-list 101
access-list 101 permit tcp any any gt 1023 established
access-list 101 permit udp any any gt 1023
access-list 101 deny ip 0.0.0.0 0.255.255.255 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip 169.254.0.0 0.0.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.0.2.0 0.0.0.255 any
access-list 101 deny ip 192.168.1.0 0.0.255.255 any
access-list 101 deny ip 198.18.1.0 0.1.255.255 any
access-list 101 deny ip 224.0.0.0 0.15.255.255 any
access-list 101 deny ip any host 255.255.255.255
access-list 101 deny icmp any any echo
access-list 101 permit gre any any
access-list 101 deny ip any any log

Wizard · mar 30 dic , 2008 1:12 pm

Le acl "established" permettono il traffico di ritorno e quindi sl i pacchetti con syn-ack

netrix · mar 30 dic , 2008 1:56 pm

Perfetto, thread risolto. Manca il mio... ;(

nat · mar 30 dic , 2008 4:51 pm

grazie, per me ora è più chiaro.

nat · mar 30 dic , 2008 7:03 pm

scusate c'è un piccolo problema,se può essere tale,le regole
access-list 101 permit tcp any any gt 1023 established
access-list 101 permit udp any any gt 1023
bloccano le porte tcp e udp del mulo,premesso che ho creato le entri di
ip nat inside source ......... per le relative porte tcp e udp.
posso aggiungere qualcosa per abilitare i relativi protocolli x il mulo?
ciaoo

netrix · mar 30 dic , 2008 11:07 pm

Con le regole che hai adesso puoi aggiungere, dopo la prima acl permit tcp, la seguente regola:

access-list 101 permit tcp any any porta_tcp_di_emule

E dovresti essere a posto credo, visto che hai detto di aver gia' configurato la mappatura statica ip nat inside source etc...

nat · mer 31 dic , 2008 12:07 pm

le regole che ho aggiunto sono le sequenti e funziona
access-list 101 permit tcp any any eq 4662
access-list 101 permit udp any any eq 4672
ho usato eq=Match only packets on a given port number
spero che sia giusto
saluti e auguri

Wizard · ven 02 gen , 2009 10:58 am

access-list 101 permit tcp any any eq 4662
access-list 101 permit udp any any eq 4672

Si sono giuste, spero sl che le abbi inserite prima del

deny ip any any

nat · ven 02 gen , 2009 8:52 pm

per completezza allego, se può essere utile a qualcuno tutta l'access-list, sempre che sia corretta.

access-list 101 remark **********************************************************************
access-list 101 remark *** Traffico abilitato ad entrare nel router da internet ***
access-list 101 permit tcp any any gt 1023 established
access-list 101 permit udp any any gt 1023
access-list 101 remark **********************************************************************
access-list 101 remark *** regole x EMULE***
access-list 101 permit tcp any any eq 4662
access-list 101 permit udp any any eq 4672
access-list 101 remark **********************************************************************
access-list 101 deny ip 0.0.0.0 0.255.255.255 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip 169.254.0.0 0.0.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.0.2.0 0.0.0.255 any
access-list 101 deny ip 192.168.1.0 0.0.255.255 any
access-list 101 deny ip 198.18.1.0 0.1.255.255 any
access-list 101 deny ip 224.0.0.0 0.15.255.255 any
access-list 101 deny ip any host 255.255.255.255
access-list 101 permit udp host 208.67.222.222 eq domain any
access-list 101 permit udp host 151.99.125.1 eq domain any
access-list 101 permit udp host 207.46.197.32 eq ntp any
access-list 101 permit udp host 192.43.244.18 eq ntp any
access-list 101 deny icmp any any echo
access-list 101 deny ip any any log
access-list 101 remark *********************************************************************
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any administratively-prohibited
access-list 101 permit icmp any any packet-too-big
access-list 101 permit icmp any any traceroute
access-list 101 deny icmp any any log
access-list 101 remark ******************************************************************
access-list 101 deny tcp any any eq 135
access-list 101 deny udp any any eq 135
access-list 101 deny udp any any eq netbios-ns
access-list 101 deny udp any any eq netbios-dgm
access-list 101 deny tcp any any eq 139
access-list 101 deny udp any any eq netbios-ss
access-list 101 deny tcp any any eq 445
access-list 101 deny tcp any any eq 593
access-list 101 deny tcp any any eq 2049
access-list 101 deny udp any any eq 2049
access-list 101 deny tcp any any eq 2000
access-list 101 deny tcp any any range 6000 6010
access-list 101 deny udp any any eq 1433
access-list 101 deny udp any any eq 1434
access-list 101 deny udp any any eq 5554
access-list 101 deny udp any any eq 9996
access-list 101 deny udp any any eq 113
access-list 101 deny udp any any eq 3067

Ciao

Wizard · gio 08 gen , 2009 6:11 pm

Fai così:

Codice: Seleziona tutto

no access-list 101
access-list 101 remark ******************************************************************
access-list 101 remark *** traffico di ritorno ***
access-list 101 permit tcp any any gt 1023 established
access-list 101 permit udp any any gt 1023
access-list 101 remark ******************************************************************
access-list 101 remark *** regole x EMULE***
access-list 101 permit tcp any any eq 4662
access-list 101 permit udp any any eq 4672
access-list 101 remark ******************************************************************
access-list 101 remark *** regole traffico ICMP ***
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any administratively-prohibited
access-list 101 permit icmp any any packet-too-big
access-list 101 permit icmp any any traceroute
access-list 101 deny icmp any any log
access-list 101 remark ******************************************************************
access-list 101 remark *** traffico dns e ntp ***
access-list 101 permit udp host 208.67.222.222 eq domain any
access-list 101 permit udp host 151.99.125.1 eq domain any
access-list 101 permit udp host 207.46.197.32 eq ntp any
access-list 101 permit udp host 192.43.244.18 eq ntp any
access-list 101 remark ******************************************************************
access-list 101 remark *** regole anti spoofing***
access-list 101 deny ip 0.0.0.0 0.255.255.255 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip 169.254.0.0 0.0.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.0.2.0 0.0.0.255 any
access-list 101 deny ip 192.168.1.0 0.0.255.255 any
access-list 101 deny ip 198.18.1.0 0.1.255.255 any
access-list 101 deny ip 224.0.0.0 0.15.255.255 any
access-list 101 deny ip any host 255.255.255.255
access-list 101 remark ******************************************************************
access-list 101 remark *** protezione da worm ***
access-list 101 deny tcp any any eq 135
access-list 101 deny udp any any eq 135
access-list 101 deny udp any any eq netbios-ns
access-list 101 deny udp any any eq netbios-dgm
access-list 101 deny tcp any any eq 139
access-list 101 deny udp any any eq netbios-ss
access-list 101 deny tcp any any eq 445
access-list 101 deny tcp any any eq 593
access-list 101 deny tcp any any eq 2049
access-list 101 deny udp any any eq 2049
access-list 101 deny tcp any any eq 2000
access-list 101 deny tcp any any range 6000 6010
access-list 101 deny udp any any eq 1433
access-list 101 deny udp any any eq 1434
access-list 101 deny udp any any eq 5554
access-list 101 deny udp any any eq 9996
access-list 101 deny udp any any eq 113
access-list 101 deny udp any any eq 3067 
access-list 101 remark ******************************************************************
access-list 101 remark *** acl per log ***
access-list 101 deny ip any any log
access-list 101 remark ******************************************************************

Wizard · gio 08 gen , 2009 6:11 pm

in generale prima metti tutti i permit poi i deny

access-list

Login • Iscriviti