ACL [SOLVED]


#1

Hello-

Can someone help me with an ACL please? Here’s what I have on a Cisco router and I’d like to duplicate the functionality on Vyos.

ip access-list extended allow_sip
permit ip host x.x.x.x any
permit ip host x.x.x.x any
permit ip host x.x.x.x any
deny tcp any any eq 5060 5080
deny udp any any eq 5060 5080
permit ip any any

interface FastEthernet0/0
ip address x.x.x.x 255.255.255.252
ip access-group allow_sip in


#2

set firewall group network-group SIP-SERVERS network ‘1.1.1.1/32’
set firewall group network-group SIP-SERVERS network ‘2.2.2.2/32’
set firewall group network-group SIP-SERVERS network ‘3.3.3.3/32’

set firewall group port-group SIP-PORTS port ‘5060’
set firewall group port-group SIP-PORTS port ‘5080’

set firewall name SIP default-action ‘accept’
set firewall name SIP rule 10 action ‘accept’
set firewall name SIP rule 10 source group network-group ‘SIP-SERVERS’
set firewall name SIP rule 20 action ‘drop’
set firewall name SIP rule 20 destination group port-group ‘SIP-PORTS’

set interfaces ethernet eth0 firewall in name ‘SIP’


#3

That’s just what I needed to keep the hackers out - thanks!


#4

I implemented this and it seems that traffic other than what I want to block is being blocked.

Specifically, the SIP-SERVERS actually represent the IP addresses of VoIP users coming in from the Internet. What I’m trying to accomplish is to allow them to come in on any port, block everyone else from coming in on ports 5060 through 5080, and then allow any IP traffic. What’s happening is that RTP traffic, which comes in on ports higher than 32000, is being blocked.

Any ideas?


#5

Most likely there is something else blocking then.

That’s what this does, though you need to add ports 5061 to 5079 to the port list if you need that whole range.


#6

I have the ports listed this way - I assume this gets ports 5060 through 5080.
port-group SIP-PORTS {
port 5060-5080
}

When I remove the firewall from the interface, RTP works again. Here’s my firewall config:

     network-group SIP-CUSTOMERS {
         network 1.x.x.x/32
         network 2.x.x.x/32
         network 3.x.x.x/32
         network 4.x.x.x/32
         network 5.x.x.x/32
     }
     port-group SIP-PORTS {
         port 5060-5080
     }

name SIP {
default-action accept
rule 10 {
action accept
source {
group {
network-group SIP-CUSTOMERS
}
}
}
rule 20 {
action drop
destination {
group {
port-group SIP-PORTS
}
}
}
}

bonding bond0 {
hash-policy layer2
mode 802.3ad
mtu 9000
vif 10 {
address x.x.x.x/27
description VOIP-PUBLIC
firewall {
in {
name SIP
}
}
vrrp {
vrrp-group 1 {
advertise-interval 1
preempt true
virtual-address x.x.x.x
}
}
}


#7

Can you post the output of ‘sudo iptables -L -v’ and ‘sudo ipset list’? Are you able to ping between the two sides?


#8

bruceg@vr1:~$ sudo iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
620K 115M VYATTA_PRE_FW_IN_HOOK all – any any anywhere anywhere
620K 115M VYATTA_FW_LOCAL_HOOK all – any any anywhere anywhere
620K 115M VYATTA_POST_FW_IN_HOOK all – any any anywhere anywhere

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
3844K 777M VYATTA_PRE_FW_FWD_HOOK all – any any anywhere anywhere
3844K 777M VYATTA_FW_IN_HOOK all – any any anywhere anywhere
3844K 777M VYATTA_FW_OUT_HOOK all – any any anywhere anywhere
3844K 777M VYATTA_POST_FW_FWD_HOOK all – any any anywhere anywhere

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1570K 168M VYATTA_PRE_FW_OUT_HOOK all – any any anywhere anywhere
1570K 168M VYATTA_POST_FW_OUT_HOOK all – any any anywhere anywhere

Chain SIP (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all – any any anywhere anywhere /* SIP-10 / match-set SIP-CUSTOMERS src
520 368K DROP all – any any anywhere anywhere /
SIP-20 / match-set SIP-PORTS dst
4212 839K RETURN all – any any anywhere anywhere /
SIP-10000 default-action accept */

Chain VYATTA_FW_IN_HOOK (1 references)
pkts bytes target prot opt in out source destination
4732 1207K SIP all – bond0.10 any anywhere anywhere

Chain VYATTA_FW_LOCAL_HOOK (1 references)
pkts bytes target prot opt in out source destination

Chain VYATTA_FW_OUT_HOOK (1 references)
pkts bytes target prot opt in out source destination

Chain VYATTA_POST_FW_FWD_HOOK (1 references)
pkts bytes target prot opt in out source destination
3844K 777M ACCEPT all – any any anywhere anywhere

Chain VYATTA_POST_FW_IN_HOOK (1 references)
pkts bytes target prot opt in out source destination
620K 115M ACCEPT all – any any anywhere anywhere

Chain VYATTA_POST_FW_OUT_HOOK (1 references)
pkts bytes target prot opt in out source destination
1570K 168M ACCEPT all – any any anywhere anywhere

Chain VYATTA_PRE_FW_FWD_HOOK (1 references)
pkts bytes target prot opt in out source destination
3844K 777M RETURN all – any any anywhere anywhere

Chain VYATTA_PRE_FW_IN_HOOK (1 references)
pkts bytes target prot opt in out source destination
620K 115M RETURN all – any any anywhere anywhere

Chain VYATTA_PRE_FW_OUT_HOOK (1 references)
pkts bytes target prot opt in out source destination
1570K 168M RETURN all – any any anywhere anywhere
bruceg@vr1:~$

bruceg@vr1:~$ sudo ipset list
Name: SIP-PORTS
Type: bitmap:port
Header: range 1-65535
Size in memory: 8280
References: 1
Members:
5060
5061
5062
5063
5064
5065
5066
5067
5068
5069
5070
5071
5072
5073
5074
5075
5076
5077
5078
5079
5080

Name: SIP-CUSTOMERS
Type: hash:net
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 16896
References: 1
Members:
71.41.206.253
76.8.9.208
76.187.122.131
96.226.244.230
192.136.244.230

bruceg@vr1:~$


#9

That all looks legit. I can’t see any reason why the other traffic would be blocked, unless it’s coming from different IPs. Do the firewall stats increment faster than you would expect when this traffic is being blocked?


#10

Yes, I thought it looked good too. I’ll check after hours re stat increment and let you know.


#11

#12

Looking at this again - still have the same issue. A tcpdump shows the RTP (UDP) traffic hitting my softswitch but you just can’t hear a thing. removing the rule from the interface and all is well. Any other ideas?


#13

For the sake of sanity, maybe setup logging on the firewall rules.


#14

I figured it out. I had to make it a stateful firewall. Thanks for all your help. Here’s my final config:

set default-action ‘drop’
set rule 10 action ‘accept’
set rule 10 description ‘Allow established and related traffic’
set rule 10 log ‘disable’
set rule 10 state established ‘enable’
set rule 10 state related ‘enable’
set rule 20 action ‘accept’
set rule 20 description ‘Allow SIP’
set rule 20 destination port ‘5060-5080’
set rule 20 protocol ‘tcp_udp’
set rule 20 source group network-group ‘SIP-CUSTOMERS’
set rule 30 action ‘accept’
set rule 30 description ‘Allow SIP’
set rule 30 destination port ‘5060-5080’
set rule 30 protocol ‘tcp_udp’
set rule 30 source group network-group ‘SIP-PROVIDERS-XXX1’
set rule 40 action ‘accept’
set rule 40 description ‘Allow SIP’
set rule 40 destination port ‘5060-5080’
set rule 40 protocol ‘tcp_udp’
set rule 40 source group network-group ‘SIP-PROVIDERS-XXX2’
set rule 50 action ‘accept’
set rule 50 description ‘Allow SIP’
set rule 50 destination port ‘5060-5080’
set rule 50 protocol ‘tcp_udp’
set rule 50 source group network-group ‘SIP-PROVIDERS-XXX3’
set rule 60 action ‘accept’
set rule 60 description ‘Allow SIP’
set rule 60 destination port ‘5060-5080’
set rule 60 protocol ‘tcp_udp’
set rule 60 source group network-group ‘SIP-TEMP-USERS’
set rule 200 action ‘accept’
set rule 200 description ‘Allow RTP’
set rule 200 destination port ‘16384-32767’
set rule 200 protocol ‘udp’
set rule 210 action ‘accept’
set rule 210 description ‘Allow HTTPS’
set rule 210 destination port ‘443’
set rule 210 protocol ‘tcp’
set rule 220 action ‘accept’
set rule 220 description ‘Allow SSH’
set rule 220 destination port ‘22’
set rule 220 protocol ‘tcp’


#15

Cool, glad you got it working. Thanks for the update.


#16

I implemented this and it seems that traffic other than what I want to block is being blocked.