This is a post from my old website that still gets many hits. I'm moving all those old items here to this blog. Here it is:
Here is my Cisco access list which is configured to prevent outside access:
-----------------------------
Screening Router Access List:
-----------------------------
Note: All real ip addresses have been changed to the reserved 169.254.92.0 network.
! Beginning of access-list 101
!
! Deny rfc 1918 addresses:
!
access-list 101 deny ip 192.168.0.0 0.0.255.255 any log
access-list 101 deny ip 172.16.0.0 0.15.255.255 any log
access-list 101 deny ip 10.0.0.0 0.255.255.255 any log
!
! Deny packets with localhost, broadcast and multicast addresses:
!
access-list 101 deny ip 127.0.0.0 0.255.255.255 any log
access-list 101 deny ip 255.0.0.0 0.255.255.255 any log
access-list 101 deny ip 224.0.0.0 7.255.255.255 any log
!
! Deny packets without ip address.
!
access-list 101 deny ip host 0.0.0.0 any log
!
! Prevent spoofing. Deny incoming packets that have
! our internal address:
!
access-list 101 deny ip 169.254.92.0 0.0.0.255 any log
!
! More spoofing prevention. Insert ip address of external
! router interface ip address:
!
access-list 101 deny ip host 169.254.8.78 any log
!
! If you run any listeners, NFS or Xwindows add those
! ports here.
!
! access-list 101 deny tcp any any eq 2000 log
! access-list 101 deny tcp any any eq 2001 log
! access-list 101 deny tcp any any eq 6000 log
! access-list 101 deny tcp any any eq 6001 log
!
! Allow only ACKed tcp packets to our network:
!
access-list 101 permit tcp any 169.254.92.0 0.0.0.255 gt 1023 established
!
! Allow only specific ICMP:
! http://www.isi.edu/in-notes/iana/assignments/icmp-parameters
! http://www.worldgate.com/~marcs/mtu/
!
access-list 101 permit icmp any 169.254.92.0 0.0.0.255 3 0 ! net-unreachable
access-list 101 permit icmp any 169.254.92.0 0.0.0.255 3 1 ! host-unreachable
access-list 101 permit icmp any 169.254.92.0 0.0.0.255 3 3 ! port-unreachable
access-list 101 permit icmp any 169.254.92.0 0.0.0.255 3 4 ! packet-too-big
access-list 101 permit icmp any 169.254.92.0 0.0.0.255 3 13 ! administratively-prohibited
access-list 101 permit icmp any 169.254.92.0 0.0.0.255 4 ! source-quench
access-list 101 permit icmp any 169.254.92.0 0.0.0.255 11 0 ! ttl-exceeded
!
! Allow smtp traffic to mail servers only:
!
access-list 101 permit tcp any host 172.29.92.15 eq smtp
access-list 101 permit tcp any host 172.29.92.108 eq smtp
!
! Allow incoming dns traffic to name servers only:
! Note: Probably best to limit tcp domain traffic to specific servers.
!
access-list 101 permit tcp any host 169.254.92.15 eq domain log
access-list 101 permit tcp any host 169.254.92.13 eq domain log
access-list 101 permit udp any host 169.254.92.15 eq domain
access-list 101 permit udp any host 169.254.92.13 eq domain
!
! Allow ntp to time server:
! See: http://www.eecis.udel.edu/~ntp/
!
access-list 101 permit udp any eq 123 host 169.254.92.38 eq 123
!
! Allow incoming news traffic to nntp server only:
!
access-list 101 permit tcp any host 169.254.92.103 eq nntp
!
! For ftp clients:
! Not very secure. The alternative is to remove this and
! force clients into passive mode.
!
access-list 101 permit tcp any eq 20 169.254.92.0 0.0.0.255 gt 1023
!
! We deny ident. We're not sure if it's secure. Entry is here
! to keep log files from filling up:
!
access-list 101 deny tcp any any eq 113
!
! Log everything that does not meet the above rules.
!
access-list 101 deny ip any any log
!
! End of access-list 101
! Add this to external interface of screening router:
!
no ip directed-broadcast
no ip proxy-arp
no ip unreachables ! Don't send icmp for denied items in
access-list.
ntp disable
!
! Apply access list to external interface:
!
ip access-group 101 in
!
! Use this command if you want to see denied hosts while
! logged into the router. Use command:
! "show ip accounting access-violations"
!
! ip accounting access-violations
----------------
Outbound filter:
----------------
! Beginning of access-list 102
!
access-list 102 deny ip 192.168.0.0 0.0.255.255 any log
access-list 102 deny ip 172.16.0.0 0.15.255.255 any log
access-list 102 deny ip 10.0.0.0 0.255.255.255 any log
access-list 102 deny ip any 192.168.0.0 0.0.255.255 log
access-list 102 deny ip any 172.16.0.0 0.15.255.255 log
access-list 102 deny ip any 10.0.0.0 0.255.255.255 log
!
! Don't allow internal hosts to send icmp.
!
access-list 102 deny icmp any any log
!
! Only allow packets from our network.
!
access-list 102 permit ip 169.254.92.0 0.0.0.255 any
!
! Log everything else:
!
access-list 102 deny ip any any log
!
! End of access-list 102
!
! Apply access list 102 to outbound external interface
! or inbound on internal interface.
----------------------------------
Additional items to add to config:
----------------------------------
!
! Miscellaneous:
!
service password-encryption
service linenumber
no cdp run
no service finger
no service udp-small-servers
no service tcp-small-servers
no ip source-route
no ip bootp server
no ip http server
no ntp master
no ip domain-lookup ! If you don't have a name server.
no logging console ! Save cpu cycles.
logging buffered
!
! Cisco NTP information:
! http://www.cisco.com/univercd/cc/td/doc/product/software/ios11/sbook/ssysmgmt.htm
! http://www.cisco.com/warp/customer/105/30.html
!
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
clock timezone PST -8 !
My timezone.
clock summer-time zone recurring
ntp source
e0
! My inside interface.
ntp update-calendar
ntp server 196.254.92.38 ! My Linux time
server.
!
! VERY VERY IMPORTANT! Log everything to syslog!
!
logging 196.254.92.83
!
! Performance-related:
!
! IOS 11+
!
ip tcp path-mtu-discovery
!
! IOS 11.3+
!
ip tcp selective-ack
-----
SNMP:
-----
! Secure snmp with a community name other than public or private.
! Add access-list security.
!
snmp-server community secret RO 21
snmp-server trap-authentication
!
! Log router events to snmp trap host:
!
snmp-server enable traps config
snmp-server enable traps frame-relay
snmp-server host 169.254.92.83 secret
!
access-list 21 permit 169.254.92.83
---------------------------------
Secure vty (Telnet) and aux port:
---------------------------------
line aux 0
access-class 2 in
transport input all
line vty 0 4
access-class 1 in
password 7 xxxxxxxxxxxxx
login
!
! Add access-lists:
!
! Allow only specific hosts to telnet into router:
!
access-list 1 permit 169.254.92.39
!
! Block access to aux.
!
access-list 2 deny 0.0.0.0 255.255.255.255
------------------------------------
Mail report of router log to myself:
------------------------------------
Add UNIX cron job:
cat /var/log/messages |grep [routername]|sort +14 -15 |mail -s "Router Access
List Log" me@mydoman.com
----------
Reference:
----------
Cisco Security Overview:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113ed_cr/secur_c/scoverv.htm
Please notify how can I see the ICMP messages on my PC?
I think that the wildmask of multicast address is 15.255.255.255 instead of 7.255.255.255.
Posted by: Dr. Ghassan | July 23, 2006 at 08:55 AM
I would like to thank you for the information on acl[s],i have leant some of the thing i didn't know.But iwould like if you can do me a favour on e-mailing me on standard configarations on acl
Posted by: Macleon Kalunga | October 01, 2007 at 07:45 AM
kool, Thanks
Posted by: dom | April 23, 2009 at 02:37 PM