Il Firewall mi blocca il port-forwarding!!! Help!!

Galerio · dom 08 mar , 2009 2:16 pm

Prendendo spunto da alcune configurazioni che ci son qui e altrove ho creato la mia personale, solo che se attivo il Firewall (o almeno, una parte di esso) il port-forwarding non mi funziona più e così ne emule ne il voip funziona.

Ecco la mia configurazione intera (ho un Cisco 877W con IOS 12.4-15T6):

Codice: Seleziona tutto

no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot system flash c870-advipservicesk9-mz.124-15.T6.bin
boot-end-marker
!
logging buffered 4096
!
no aaa new-model
clock timezone MET 1
clock summer-time MEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
!
crypto pki trustpoint TP-self-signed-3xxxxx
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-36xxxxxxxx
 revocation-check none
 rsakeypair TP-self-signed-36xxxxxxx
!
!
crypto pki certificate chain TP-self-signed-361xxxxxxxx
 certificate self-signed 01 nvram:IOS-Self-Sig#E.cer
dot11 syslog
!
dot11 ssid [wifiReti]
   vlan 1
   authentication open
   authentication key-management wpa
   guest-mode
   wpa-psk ascii 0 [pass]
!
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.12
!
ip dhcp pool sdm-pool1
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 195.186.1.111 195.186.4.111
   lease infinite
!
ip dhcp pool STATIC-1
   host 192.168.1.2 255.255.255.0
   client-identifier 0100.12dc.5c47.6b
   client-name AladinoVoip
!
ip dhcp pool STATIC-2
   host 192.168.1.3 255.255.255.0
   client-identifier 0100.0129.d1a5.83
   client-name Armor
!
ip dhcp pool STATIC-3
   host 192.168.1.4 255.255.255.0
   client-identifier 0100.14bf.62ca.d9
   client-name NSLU2
!
ip dhcp pool STATIC-4
   host 192.168.1.5 255.255.255.0
   client-identifier 0100.1731.c2ee.97
   client-name Amelia
!
ip dhcp pool STATIC-5
   host 192.168.1.6 255.255.255.0
   client-identifier 0108.1073.0dcd.b0
   client-name Vale
!
ip dhcp pool STATIC-6
   host 192.168.1.7 255.255.255.0
   client-identifier 0100.2100.6593.7f
   client-name Maggi
!
ip dhcp pool STATIC-7
   host 192.168.1.8 255.255.255.0
   client-identifier 0100.16fe.7b43.70
   client-name HP-rw6815
!
ip dhcp pool STATIC-8
   host 192.168.1.9 255.255.255.0
   client-identifier 0100.1d0f.b59d.5f
   client-name Crema-wifi
!
ip dhcp pool STATIC-9
   host 192.168.1.11 255.255.255.0
   client-identifier 0100.0c6e.a800.62
   client-name Crema-eth
!
!
ip name-server 195.186.1.111
ip name-server 195.186.4.111
ip inspect log drop-pkt
ip inspect name Firewall cuseeme
ip inspect name Firewall dns
ip inspect name Firewall ftp
ip inspect name Firewall h323
ip inspect name Firewall https
ip inspect name Firewall icmp
ip inspect name Firewall imap
ip inspect name Firewall pop3
ip inspect name Firewall rcmd
ip inspect name Firewall realaudio
ip inspect name Firewall rtsp
ip inspect name Firewall esmtp
ip inspect name Firewall sqlnet
ip inspect name Firewall streamworks
ip inspect name Firewall tftp
ip inspect name Firewall tcp
ip inspect name Firewall udp
ip inspect name Firewall vdolive
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip ddns update method sdm_ddns1
 HTTP
  add http://xxxx:[email protected]/nic/updatesystem=dyndns&hostname=<h>&myip=<a>
  remove http://xxxx:[email protected]/nic/updatesystem=dyndns&hostname=<h>&myip=<a>
!
!
multilink bundle-name authenticated
!
!
username xxxxxxxxxx privilege 15 password 0 xxxxxxxxxxxx
!
!
archive
 log config
  hidekeys
!
!
!
bridge irb
!
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode adsl2+
!
interface ATM0.1 point-to-point
 description $ES_WAN$
 pvc 8/35
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
 no ip address
 !
 encryption vlan 1 mode ciphers tkip
 !
 ssid wifiReti
 !
 speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
 world-mode dot11d country IT both
!
interface Dot11Radio0.1
 encapsulation dot1Q 1 native
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Vlan1
 no ip address
 ip tcp adjust-mss 1452
 bridge-group 1
!
interface Dialer0
 ip ddns update hostname xxxxxxxx.dyndns.org
 ip ddns update sdm_ddns1
 ip address negotiated
 ip access-group 101 in  [se tolgo questa riga il port-forwaring funziona]
 ip mtu 1492
 ip nat outside
 ip inspect Firewall out
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap callin
 ppp chap hostname xxxxxxxxxxxxxxxx
 ppp chap password 0 xxxxx
!
interface BVI1
 ip address 192.168.1.1 255.255.255.0
 ip access-group 102 in
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static udp 192.168.1.2 5060 interface Dialer0 5060
ip nat inside source static tcp 192.168.1.2 5060 interface Dialer0 5060
ip nat inside source static udp 192.168.1.3 9 interface Dialer0 9
ip nat inside source static tcp 192.168.1.3 4711 interface Dialer0 4711
ip nat inside source static tcp 192.168.1.3 7395 interface Dialer0 7395
ip nat inside source static udp 192.168.1.3 8457 interface Dialer0 8457
ip nat inside source static udp 192.168.1.3 35238 interface Dialer0 35238
ip nat inside source static tcp 192.168.1.3 35238 interface Dialer0 35238
ip nat inside source static tcp 192.168.1.3 81 interface Dialer0 81
ip nat inside source static tcp 192.168.1.3 5900 interface Dialer0 5900
ip nat inside source static tcp 192.168.1.3 6346 interface Dialer0 6346
ip nat inside source static udp 192.168.1.3 6346 interface Dialer0 6346
ip nat inside source static tcp 192.168.1.4 4712 interface Dialer0 4712
ip nat inside source static udp 192.168.1.4 5672 interface Dialer0 5672
ip nat inside source static udp 192.168.1.4 4665 interface Dialer0 4665
ip nat inside source static tcp 192.168.1.3 5800 interface Dialer0 5800
ip nat inside source static tcp 192.168.1.3 36433 interface Dialer0 36433
ip nat inside source static tcp 192.168.1.3 6348 interface Dialer0 6348
ip nat inside source static udp 192.168.1.3 6348 interface Dialer0 6348
ip nat inside source static tcp 192.168.1.3 15698 interface Dialer0 15698
ip nat inside source static udp 192.168.1.3 15698 interface Dialer0 15698
ip nat inside source static tcp 192.168.1.3 6347 interface Dialer0 6347
ip nat inside source static udp 192.168.1.3 6347 interface Dialer0 6347
ip nat inside source static tcp 192.168.1.4 5662 interface Dialer0 5662
!
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 101 remark *** Traffico abilitato ad entrare nel router da internet ****
access-list 101 permit tcp host 63.208.196.96 eq www any log
access-list 101 permit udp host 207.46.232.42 eq ntp any
access-list 101 permit udp host 192.43.244.18 eq ntp any
access-list 101 permit gre any any
access-list 101 remark *************************************************************
access-list 101 remark *** ACL port forwarding ***
access-list 101 permit tcp any host 192.168.0.3 eq 4711
access-list 101 permit tcp any host 192.168.0.3 eq 7395
access-list 101 permit tcp any host 192.168.0.3 eq 35238
access-list 101 permit tcp any host 192.168.0.3 eq 81
access-list 101 permit tcp any host 192.168.0.3 eq 5900
access-list 101 permit tcp any host 192.168.0.3 eq 6346
access-list 101 permit tcp any host 192.168.0.3 eq 5800
access-list 101 permit tcp any host 192.168.0.3 eq 36433
access-list 101 permit tcp any host 192.168.0.3 eq 6348
access-list 101 permit tcp any host 192.168.0.3 eq 15698
access-list 101 permit tcp any host 192.168.0.3 eq 6347
access-list 101 permit tcp any host 192.168.0.2 eq 5060
access-list 101 permit udp any host 192.168.0.2 eq 5060
access-list 101 permit tcp any host 192.168.0.4 eq 4712
access-list 101 permit tcp any host 192.168.0.4 eq 5662
access-list 101 permit udp any host 192.168.0.4 eq 5672
access-list 101 permit udp any host 192.168.0.4 eq 4665
access-list 101 permit udp any host 192.168.0.3 eq 9
access-list 101 permit udp any host 192.168.0.3 eq 8457
access-list 101 permit udp any host 192.168.0.3 eq 35238
access-list 101 permit udp any host 192.168.0.3 eq 6346
access-list 101 permit udp any host 192.168.0.3 eq 6348
access-list 101 permit udp any host 192.168.0.3 eq 15698
access-list 101 permit udp any host 192.168.0.3 eq 6347
access-list 101 remark *************************************************************
access-list 101 deny   ip 0.0.0.0 0.255.255.255 any
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip 169.254.0.0 0.0.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.0.2.0 0.0.0.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 198.18.0.0 0.1.255.255 any
access-list 101 deny   ip 224.0.0.0 0.15.255.255 any
access-list 101 deny   ip any host 255.255.255.255
access-list 101 deny   icmp any any echo
access-list 101 deny   ip any any log
access-list 102 remark *************************************************************
access-list 102 remark Traffico abilitato ad entrare nel router dalla ethernet
access-list 102 permit ip any host 192.168.1.1
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit ip any host 255.255.255.255
access-list 102 deny   ip any host 192.168.1.255
access-list 102 deny   udp any any eq tftp log
access-list 102 deny   ip any 0.0.0.0 0.255.255.255 log
access-list 102 deny   ip any 10.0.0.0 0.255.255.255 log
access-list 102 deny   ip any 127.0.0.0 0.255.255.255 log
access-list 102 deny   ip any 169.254.0.0 0.0.255.255 log
access-list 102 deny   ip any 172.16.0.0 0.15.255.255 log
access-list 102 deny   ip any 192.0.2.0 0.0.0.255 log
access-list 102 deny   ip any 192.168.0.0 0.0.255.255 log
access-list 102 deny   ip any 198.18.0.0 0.1.255.255 log
access-list 102 deny   udp any any eq 135 log
access-list 102 deny   tcp any any eq 135 log
access-list 102 deny   udp any any eq netbios-ns log
access-list 102 deny   udp any any eq netbios-dgm log
access-list 102 deny   tcp any any eq 445 log
access-list 102 deny   ip any any log
access-list 102 remark *************************************************************
dialer-list 1 protocol ip permit
no cdp run 
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
sntp server 207.46.197.32
sntp server 192.43.244.18
end

Come ho scritto nella config fra parentesi quadra, se tolgo la riga "ip access-group 101 in" da interface Dialer0 il port-forwarding funziona perché in pratica gli dico di ignorare tutto quello che c'è nella access-list 101. Se invece lascio quella riga, il port-forwarding non va e nel log ho ovviamente tutti i tentativi bloccati di pacchetti che tentan di passare da quelle porte:

Codice: Seleziona tutto

Mar  6 09:59:26.884: %SEC-6-IPACCESSLOGP: list 101 denied udp 121.233.122.166(37800) -> 78.12.114.135(8457), 1 packet
Mar  6 09:59:27.936: %SEC-6-IPACCESSLOGP: list 101 denied udp 218.25.237.238(8560) -> 78.12.114.135(8457), 1 packet
Mar  6 09:59:29.252: %SEC-6-IPACCESSLOGP: list 101 denied udp 78.8.53.127(5218) -> 78.12.114.135(8457), 1 packet
Mar  6 09:59:30.592: %SEC-6-IPACCESSLOGP: list 101 denied udp 81.44.238.47(10353) -> 78.12.114.135(8457), 1 packet
Mar  6 09:59:31.704: %SEC-6-IPACCESSLOGP: list 101 denied udp 91.23.48.117(63077) -> 78.12.114.135(8457), 1 packet
Mar  6 09:59:34.184: %SEC-6-IPACCESSLOGP: list 101 denied udp 91.180.222.114(15869) -> 78.12.114.135(8457), 1 packet
Mar  6 09:59:35.208: %SEC-6-IPACCESSLOGP: list 101 denied udp 79.5.228.36(16975) -> 78.12.114.135(8457), 1 packet
Mar  6 09:59:37.500: %SEC-6-IPACCESSLOGP: list 101 denied udp 80.174.53.168(5467) -> 78.12.114.135(8457), 1 packet
Mar  6 09:59:38.656: %SEC-6-IPACCESSLOGP: list 101 denied udp 213.114.111.215(14297) -> 78.12.114.135(54956), 1 packet

Inoltre come potete vedere ho tolto dalla access-list i permessi di accesso ai DNS servers che in tutte le configurazioni qui scritte trovo, ma che sono inutili in quanto è già presente la riga:
ip inspect name Firewall dns
che permette al traffico di ritornare senza alcuna altra regola.

Infine, cosa molto strana, ho una regola in access-list 101 che non mi viene accettata:

Codice: Seleziona tutto

access-list 101 permit udp any host 192.168.0.3 eq discard

mentre dovrebbe essere così:

Codice: Seleziona tutto

access-list 101 permit udp any host 192.168.0.3 eq 9

e mi serve perché è per la funzione di WakeOnLan!!! Come mai fa così?
Ad ogni modo questo è l'ultimo dei miei problemi, la cosa più importante è trovare il modo di far funzionare il firewall con le varie regole anti-spoofing assieme al port-forwarding!

Qualcuno mi dà una mano?

Grazie mille!!

Wizard · lun 09 mar , 2009 4:06 pm

access-list 101 remark *** ACL port forwarding ***
access-list 101 permit tcp any host 192.168.0.3 eq 4711
access-list 101 permit tcp any host 192.168.0.3 eq 7395
access-list 101 permit tcp any host 192.168.0.3 eq 35238
access-list 101 permit tcp any host 192.168.0.3 eq 81
access-list 101 permit tcp any host 192.168.0.3 eq 5900
access-list 101 permit tcp any host 192.168.0.3 eq 6346
access-list 101 permit tcp any host 192.168.0.3 eq 5800
access-list 101 permit tcp any host 192.168.0.3 eq 36433
access-list 101 permit tcp any host 192.168.0.3 eq 6348
access-list 101 permit tcp any host 192.168.0.3 eq 15698
access-list 101 permit tcp any host 192.168.0.3 eq 6347
access-list 101 permit tcp any host 192.168.0.2 eq 5060
access-list 101 permit udp any host 192.168.0.2 eq 5060
access-list 101 permit tcp any host 192.168.0.4 eq 4712
access-list 101 permit tcp any host 192.168.0.4 eq 5662
access-list 101 permit udp any host 192.168.0.4 eq 5672
access-list 101 permit udp any host 192.168.0.4 eq 4665
access-list 101 permit udp any host 192.168.0.3 eq 9
access-list 101 permit udp any host 192.168.0.3 eq 8457
access-list 101 permit udp any host 192.168.0.3 eq 35238
access-list 101 permit udp any host 192.168.0.3 eq 6346
access-list 101 permit udp any host 192.168.0.3 eq 6348
access-list 101 permit udp any host 192.168.0.3 eq 15698
access-list 101 permit udp any host 192.168.0.3 eq 6347

Le reti private nn sono routate su internet...
Ti presenti con l' ip della int pubblica...

ip nat inside source static udp 192.168.1.2 5060 interface Dialer0 5060

Galerio · lun 09 mar , 2009 4:10 pm

mi piacerebbe risponderti.... ma non ho capito nulla

ehm...

cosa dovrei fare? (non ridere di me son ancora una schiappa..)

Wizard · lun 09 mar , 2009 4:23 pm

Esempio:

access-list 101 permit udp any host 192.168.0.3 eq 6347

diventa

access-list 101 permit udp any IP_PUBBLICO_DIALER0 eq 6347

solo che, essendo l'ip dinamico (immagino) devi modificare tutte le acl così:

access-list 101 permit udp any any eq 6347

Galerio · lun 09 mar , 2009 4:30 pm

Grazie

Domani ci provo, dopodiché la mia config è quasi perfetta!

Wizard · mar 10 mar , 2009 2:45 pm

OK ma hai capito il tuo errore?

Galerio · mar 10 mar , 2009 3:18 pm

Si, si, ho capito, non conoscendo la struttura della riga di una acl non sapevo bene a cosa si riferissero le varie parti, ma ora che me l'hai detto ho capito.
Ho già provato modificando da remoto la config e funziona Poi vabbé, modificando da remoto in ssh ho tralasciato la regola nell'acl per abilitar appunto l'ssh a entrar da internet nel router e son rimasto tagliato fuori

ma poi grazie a TemaViewer (mi salva sempre) son entrato nel desktop remoto del mio pc che per fortuna era acceso e da lì ho aperto una sessione telnet per inserire pure la regolina ("access-list 101 permit tcp any any eq 22") per abilitar la porta 22 dell'ssh!! Ora funziona tutto quanto! Perfino l'ssh da remoto. Spero di tornar a casa in fretta così posso testare a dovere il tutto.

Grazie ancora!

ah... è sempre rimasto questo problema però nella acl: non mi viene accettata la riga "access-list 101 permit udp any any eq 9" dove al posto del 9 mi mette la scritta "discard", cioé la riga diventa:
access-list 101 permit udp any any eq discard
come mai?

e... un'ultimissima cosa, va bene il mio log o c'è qualcosa di rilevante?

Codice: Seleziona tutto

Mar 10 14:15:56.423: %SEC-6-IPACCESSLOGDP: list 101 denied icmp 81.213.178.120 -> 78.12.115.55 (3/3), 1 packet
Mar 10 14:16:02.239: %FW-6-DROP_PKT: Dropping tcp session 78.12.115.55:49794 125.163.200.222:5938  due to  RST inside current window with ip ident 14409 tcpflags 0x5014 seq.no 2366249271 ack 980502979
Mar 10 14:16:02.383: %SEC-6-IPACCESSLOGP: list 101 denied tcp 87.230.73.21(30165) -> 78.12.115.55(80), 1 packet
Mar 10 14:16:05.872: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 2 packets
Mar 10 14:16:13.460: %SEC-6-IPACCESSLOGDP: list 101 denied icmp 218.165.134.137 -> 78.12.115.55 (3/3), 1 packet
Mar 10 14:16:22.952: %SEC-6-IPACCESSLOGDP: list 101 denied icmp 201.252.23.73 -> 78.12.115.55 (3/3), 1 packet
Mar 10 14:16:31.544: %SEC-6-IPACCESSLOGP: list 101 denied udp 85.86.233.244(60577) -> 78.12.115.55(1087), 1 packet
Mar 10 14:16:34.160: %SEC-6-IPACCESSLOGP: list 101 denied tcp 125.163.200.222(5938) -> 78.12.115.55(49794), 1 packet
Mar 10 14:16:44.700: %SEC-6-IPACCESSLOGDP: list 101 denied icmp 87.221.169.133 -> 78.12.115.55 (3/1), 1 packet
Mar 10 14:16:47.128: %SEC-6-IPACCESSLOGDP: list 101 denied icmp 62.0.164.86 -> 78.12.115.55 (3/1), 1 packet
Mar 10 14:16:50.760: %SEC-6-IPACCESSLOGP: list 101 denied udp 221.2.104.30(55410) -> 78.12.115.55(1538), 1 packet
Mar 10 14:16:57.168: %SEC-6-IPACCESSLOGDP: list 101 denied icmp 81.32.101.124 -> 78.12.115.55 (3/3), 1 packet
Mar 10 14:17:05.872: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 1 packet
Mar 10 14:17:12.951: %SEC-6-IPACCESSLOGP: list 101 denied udp 116.26.69.126(48032) -> 78.12.115.55(1538), 1 packet
Mar 10 14:17:15.519: %SEC-6-IPACCESSLOGP: list 101 denied udp 125.38.53.112(7563) -> 78.12.115.55(1253), 1 packet
Mar 10 14:17:17.063: %SEC-6-IPACCESSLOGP: list 101 denied udp 222.184.196.111(7566) -> 78.12.115.55(1348), 1 packet
Mar 10 14:17:18.855: %FW-6-DROP_PKT: Dropping tcp session 116.23.112.89:1041 192.168.1.3:49893  due to  Invalid Ack (or no Ack) with ip ident 17653 tcpflags 0x5F14 seq.no 0 ack 2179765016

Wizard · ven 13 mar , 2009 12:02 pm

Codice: Seleziona tutto

(config)#access-list 190 permit udp any any eq 9
(config)#do sh access-list 190
Extended IP access list 190
    10 permit udp any any eq discard

Semplicemente la porta 9 udp è chiamata "discard"

Il Firewall mi blocca il port-forwarding!!! Help!!

Login • Iscriviti