So far, we've implemented most useful functions for home use on the router.
This article briefly introduces how to configure access control and port mapping.
Network Security Configuration
In fact, as mentioned before, enterprise class routers will do nothing under default config for security reason, so all common ports are closed to the outside by default. This is enough for most cases.
If you want to further refine the configuration, here are some examples of security policies:
Access Control List (ACL)
Reject incoming data from internal IP
access-list 100 deny ip 0.0.0.0 0.255.255.255 any access-list 100 deny ip 10.0.0.0 0.255.255.255 any access-list 100 deny ip 127.0.0.0 0.255.255.255 any access-list 100 deny ip 169.254.0.0 0.0.255.255 any access-list 100 deny ip 172.16.0.0 0.15.255.255 any access-list 100 deny ip 192.0.2.0 0.0.0.255 any access-list 100 deny ip 192.168.0.0 0.0.0.255 any access-list 100 deny ip 184.108.40.206 220.127.116.11 any access-list 100 deny ip 240.0.0.0 18.104.22.168 any
Disable Microsoft File Sharing Service
access-list 100 deny tcp any any range 137 139 access-list 100 deny tcp any range 137 139 any
Deny NetBios Request
access-list 100 deny udp any any range netbios-ns netbios-ss access-list 100 deny udp any range netbios-ns netbios-ss any
#Prohibit SMB protocol
access-list 100 deny tcp any any eq 445 access-list 100 deny tcp any eq 445 any access-list 100 deny udp any any eq 445 access-list 100 deny udp any eq 445 any
#Prohibit telnet connection
access-list 100 deny tcp any any eq telnet
Allow all other traffic
access-list 100 permit ip any any
The ACL is for incoming traffic from WAN, so apply it to the Dialer.
interface Dialer1 ip access-group 100 in exit
Using access lists to manually control access traffic is intuitive, but it is inevitable that there are omissions. If you do not need to establish a server that can be accessed outside, you may use recursive ACLs.
Whether the client browses a webpage or communicates with an external server through some software, the client first sends a request and then receives the response from the server.
The recursive ACL uses this feature:
- Router will record outgoing packets
- When receiving a data packet, determine whether it is a reply to the sent data packet, and if not, drop it.
ip access-list extended IN_LSIT evaluate ICMP deny icmp any any permit ip any any ip access-list extended OUT_LIST permit icmp any any reflect ICMP permit ip any any interface Vlan1 ip access-group IN_LIST in ip access-group OUT_LIST out
Recursive ACL eliminats all access starts from outside world.
Driven by my interest, I decided to run a server in my home and build my own blog site.
(now I'm a fun of /r/homelab)
In order to make this website available to public, I also need to perform port mapping on the router and open ports 80 (http) and 443 (https).
Assuming the server's internal network IP address is 192.168.1.200:
ip nat inside source static tcp 192.168.1.200 80 interface Dialer1 80 ip nat inside source static tcp 192.168.1.200 443 interface Dialer1 443
Also don't forget to modify the access list to allow external access to the server:
access-list 100 permit tcp any host Dialer1 eq 80 access-list 100 permit tcp any host Dialer1 eq 443