Cisco Access Lists

For a while this afternoon, the wireless network was being used and the user was a victim of an MSN virus – this is easily identified by the links to ‘naked pics of me’ – as if they exist on the internet, I thought my servers were more secure than that (no, there are no such pictures).

I thought nothing of it, until I began to ponder the possibility of a heap of port 25 outgoing sessions, and thought I’d check. At the time I checked, the machine must have been turned off for at least 5  minutes – they didn’t appear in my samba check, and pinging them resulted in no replies.

I checked ip nat translations, and sure enough the SMTP connection attempts were there.

Earlier on my partner removed the MSN virus from that machine, and it appeared again just 2 hours later.. Wonderful.

I’ve now reconfigured the wonderful Cisco router. No more port 25 connections from any machine, except mine and the server IPs, whilst I was at it, no more P2P can occur.

Cisco’s 871W does this by using class-maps to scan protocols (to identify bittorrent, limewire, kazaa), and set a DSCP on that particular class map.

Then, my access list allows my machine, the servers, and then drops all P2P, then drops all outgoing port 25, and then allows traffic – this disables P2P and drops all port 25 traffic that doesn’t go through the server – i.e. all spam traffic.

A slight adjustment of the machines to make sure they send mail via the server, and that should stop any further activity in its tracks – testing shows it is not possible to open port 25 to a server, but that server happily chats to my mail server – solved.

The configuration?

access-list 100 permit ip host 192.168.x.4 any <– Allow me, I don’t want to get denied access to anything, including the router.
access-list 100 permit ip host 192.168.x.3 any <– Allow my server.
access-list 100 permit ip host 192.168.x.2 any <– Allow the linux box.
access-list 100 deny   ip any any dscp 1 <– Drop all P2P
access-list 100 deny   tcp any any eq smtp <– Drop all SMTP
access-list 100 permit ip any any <– allow

Then in my LAN interface:

ip access-group 100 in

That makes it check access list 100 prior to routing any traffic ‘in’ (i.e. In from the LAN connection).

The class map for P2P:

class-map match-any P2P
match protocol bittorrent
match protocol directconnect
match protocol edonkey
match protocol gnutella
match protocol napster
match protocol kazaa2

Those are all the obvious protocols I found, I could add NNTP or FTP or HTTP if I wanted to..

The next step is the policy:

policy-map P2P
class P2P
set ip dscp 1

That tells the P2P traffic to have DSCP 1 set, so the access list picks it up and drops the packets.

There’s also some QoS config I have there too, to give full priority to VoIP, RTP, SMTP and SSH traffic – above all other traffic, works great.

I find myself very happy with the Cisco router – they aren’t the cheapest, but they sure can accomplish much the same, if not more than a Linux box setup (I was previously happy with my Tomato and DD-WRT setups, but the Cisco is just a tad more beefed up).

This entry was posted in Networking, Random. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *