This is an old revision of the document!
Lab 1. Packet filtering - ACL
Setup
The topology consists of one Cisco router model 7200 with one networking card module PA-4E and two Ubuntu machines which serves as client (L2) and server (L1).
Eve-ng virtual machine should be already started for you with both binary image for Cisco router and iso for Ubuntu already added (for more, see the path /opt/unetlab/addons/dynamips).
You have to do the following:
- add IPs for network between the server and the network equipment (use range 10.10.10.0/24)
- add IPs for network between the client and the network equipment (use range 10.20.20.0/24) First IP is allocated for router and the second one for Linux machine
- add routes to make sure the endpoints can ping each other
Exercises using ACLs
1. Standard ACL - basic filtering:
We have the following scenario: suppose I have on the client1 2 interfaces linked to the router (we will use a subinterface here) and I want only from the first one to ping the server and client2:
root@client1:/home/eve/Desktop# ip a a 2.2.2.3/24 dev eth0:0
root@client1:/home/eve/Desktop# ip a s dev eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:50:00:00:03:00 brd ff:ff:ff:ff:ff:ff
inet 2.2.2.2/24 scope global eth0
valid_lft forever preferred_lft forever
inet 2.2.2.3/24 scope global secondary eth0
valid_lft forever preferred_lft forever
Check that ping from both client1 works from both interfaces (use -I flag).
root@client1:/home/eve/Desktop# ping -c 1 -I 2.2.2.3 1.1.1.2 PING 1.1.1.2 (1.1.1.2) from 2.2.2.3 : 56(84) bytes of data. 64 bytes from 1.1.1.2: icmp_seq=1 ttl=63 time=11.0 ms [...]
Add on the router the first ACL (stanard - called 1) that will permit only the first ip address:
cisco_7200(config)#ip access-list standard 1 cisco_7200(config-std-nacl)#permit host 2.2.2.2 cisco_7200(config-std-nacl)#deny any cisco_7200(config-std-nacl)#exit cisco_7200(config)#int e1/1 cisco_7200(config-if)#ip access-group 1 in
Check again from client1 and see how for the second ip 2.2.2.3, the router responds with an icmp packet with code 13 (packet filtered):
root@client1:/home/eve/Desktop# ping -c 1 -I 2.2.2.2 1.1.1.2 PING 1.1.1.2 (1.1.1.2) from 2.2.2.2 : 56(84) bytes of data. 64 bytes from 1.1.1.2: icmp_seq=1 ttl=63 time=11.6 ms --- 1.1.1.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 11.659/11.659/11.659/0.000 ms root@client1:/home/eve/Desktop# ping -c 1 -I 2.2.2.3 1.1.1.2 PING 1.1.1.2 (1.1.1.2) from 2.2.2.3 : 56(84) bytes of data. From 2.2.2.1 icmp_seq=1 Packet filtered --- 1.1.1.2 ping statistics --- 1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms
You can also use tcpdump with verbosity on:
eve@client1:~/Desktop$ sudo tcpdump -i eth0 -vv src 2.2.2.1
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
15:52:33.644250 IP (tos 0x0, ttl 255, id 105, offset 0, flags [none], proto ICMP (1), length 56)
2.2.2.1 > client1: ICMP host 1.1.1.2 unreachable - admin prohibited filter, length 36
IP (tos 0x0, ttl 63, id 19367, offset 0, flags [DF], proto ICMP (1), length 84)
2. Filter non-DNS and non-HTTP traffic:
cisco_7200(config-if)#exit cisco_7200(config)#int e1/1 cisco_7200(config-if)#no ip access-group 1 in
On this taks, you need write a new ACL (extended with value 101) with the following requirements: - allow DNS traffic to host 8.8.8.8 (test with nslookup or host)
- all HTTP traffic to host upb.ro (test with curl or wget). For upb.ro host use IP address 141.85.220.33
- deny any other type of traffic to host 8.8.8.8 and upb.ro
Apply this to the client network and find the ip addess for upb.ro, test curl upb.ro and then try to ping upb.ro or 8.8.8.8. Do not forget to add on client the nameserver.
3. Filter based on QoS information on the IP header:
Another field that can be matched in an IP header is the QoS information. If you want to match traffic with TOS value = 2, use the following commands:
cisco_7200(config)#ip access-list extended 101 cisco_7200(config-ext-nacl)#permit ip any any tos 2 cisco_7200(config-ext-nacl)#deny ip any any
Add extended ACL 101 to inbound direction on intf e0/0.
cisco_7200(config)#int e1/1 cisco_7200(config-if)#ip access-group 101 in
Try to send an icmp-echo request to server.
See that without adding the TOS value to ping command, the packets are filtered. Let’s try again with -Q flag added (try to look over ping manual also).
Look also over the access list from privileged exec mode:
cisco_7200#sh ip access-lists 101
Extended IP access list 101
10 permit ip any any tos max-reliability (2 matches)
20 deny ip any any (20 matches)
4. Standard and extended access lists:
On Cisco routers, the standard ACLs are numbered from 1 to 99 and the extended ones from 100 to 199. These numbers represent an older notation (yes, there are also used in the previous exercises) and there is recommended to switch to named ones where they can be explicitly defined as standard or extended. For easier debugging, there is also recommended to use only capitalized letters.
For an ACL we can see how many times a rule was matched (for example, this can be used for collecting information about the behavior of users in a company).
Another thing to note here are the line numbers (can be seen as priority values - the lowest value has the bigger priority) which are not incremented by default by one and instead there exists a gap for inserting new lines between them. In the case from above let’s say I want to introduce before ‘deny ip any any’ a new rule for permitting the source ip address 10.20.20.3.
Both standard and extended ACLs filter traffic based on static entries from layer 3 headers (IPs, QoS etc.) and layer 4 (TCP SYN flag, TCP MPTCP option etc.). However, this type of filtering is not very reliable as this information can be bypassed by an attacker by simply modifying the packets. One such example is scapy (a python library) which can be used to forge different packets and test the capabilities of firewalls.
5. Reflexive ACLs: Used for inspecting and monitor session data. An entry in the ACL can be used to reflect the traffic and create a second ACL, called reflexive IP access list. They are used to allow traffic based on them. Note that entries in them have a timeout value and are removed after it expires (dynamic entries in ACL).
After sending some pings from client to 10.30.30.2 (gateway), new entries are created for ICMP_OUT_CLIENT.
Exercise: do the same thing for DNS traffic. Verify by using nslookup or host on client machine the creation of reflexive ACL on the router.
6. Temporary access control:
a. using time-range: Standard, extended and reflexive ACLs can be configured to activate at a specific time using time-range command in config mode. In the following example, the HTTP traffic is only allowed on weekdays between 09:00 and 17:00 (for example, in a company with 8 working hours).
Rewrite the ACL ONLY_CLIENT (from above) to include time-range PERIODIC.
Send an icmp request from client to 10.30.30.2:
b. using lock-and-key: The second method consists in creating a temporary ACL using lock-and-key feature from Cisco, which is also known as dynamic ACL. It is activated automatically only when the user is authenticated. The next example is using telnet on router CISCO_packet_filter.
This will create the credentials student:student (used for local login), add them for logging to vty 0 and add a command that is executed automatically: enable the access for the host that is authenticated (the ip of it is retained).
Next, create an inbound ACL for permitting ICMP and telnet connections.
Create also the outbound one.
Add the ACLs to interface e0/0.
In the end try to ping (will fail firstly), connect and ping again.
