Ciao a tutti! Sto cercando di configurare l'apparato in oggetto per
rendere un po più sicura la mia rete casalinga.. A tal proposito ho
creato delle ACL estese, vorrei sapere un vostro parere e alcuni consigli.
Innantitutto vi spiego l'infrastruttura.
Internet <----> Router 877 <----> LAN
Ho sniffato il traffico per tutte le applicazioni che uso, e ho trovato
le rispettive porte, creando cosi le ACL:
access-list 101 remark Permette i servizi base
access-list 101 permit tcp any any eq 20 FTP
access-list 101 permit tcp any any eq 21 FTP
access-list 101 permit tcp any any eq 22 SSH
access-list 101 permit tcp any any eq 53 DNS
access-list 101 permit udp any any eq 53 DNS
access-list 101 permit tcp any any eq 80 HTTP
access-list 101 permit udp any any eq 123 NTP
access-list 101 permit tcp any any eq 139 VPN
access-list 101 permit tcp any any eq 443 HTTPS
access-list 101 permit udp any any eq 500 VPN
access-list 101 permit tcp any any eq 587 POSTA
access-list 101 permit tcp any any eq 993 POSTA
access-list 101 permit udp any any eq 1000 VPN
access-list 101 permit tcp any any eq 1863 MSN
access-list 101 permit tcp any any eq 3389 RDP
access-list 101 permit tcp any any eq 4079 VPN
access-list 101 permit udp any any eq 4500 VPN
access-list 101 permit tcp any any eq 4663 EMULE
access-list 101 permit tcp any any eq 4673 EMULE
access-list 101 permit tcp any any eq 10000 VPN
access-list 102 remark Chiude tutte le altre porte
access-list 102 deny any any
ovviamente l'ultima colonna serve solo come memo, sarà da cancellare.
Ora vi chiedo: pensavo di aggiungere queste ACL alla dialer 0 in, è
corretto? Sotto vi allego la running config.
Inoltre, se dovessi modificare (per esempio eliminando la riga
"access-list 101 permit tcp any any eq 1863 MSN" dalla ACL), come posso
fare senza cancellare tutta la ACL?
Running config:
---------------------------------------------------
! Last configuration change at 13:43:20 gmt+1 Sat Oct 31 2009 by admin
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router01
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret 5 $1$W6/N$axxdNnWX.Yocj5w3xMg.06o0
!
no aaa new-model
memory-size iomem 25
clock timezone gmt+1 1
!
crypto pki trustpoint TP-self-signed-68720455123
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-68720455123
revocation-check none
rsakeypair TP-self-signed-68720455123
!
!
crypto pki certificate chain TP-self-signed-68720455123
certificate self-signed 01
3082023E 308201A7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
[...]
E7EBA350 23BE4315 A04F1B75 D65BCD0F 3444EBB3 361344B1 7C31FAB1
E6C87DF6 BDD9
quit
dot11 syslog
no ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.10.10.1 10.10.10.15
!
ip dhcp pool LAN
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 208.67.222.222 208.67.220.220
lease 0 12
!
ip dhcp pool STAMPANTE
host 10.10.10.4 255.255.255.0
hardware-address 0000.85c4.4048
lease infinite
!
ip dhcp pool DESKTOP
host 10.10.10.3 255.255.255.0
client-identifier 001b.fc65.ee2e
lease infinite
!
!
ip cef
ip name-server 208.67.222.222
ip name-server 208.67.220.220
ip ddns update method ddns
HTTP
add
http://xxx:[email protected]/nic/updatesystem=dyndns&hostname=<h>&myip=<a>
interval maximum 0 6 0 0
!
!
!
!
!
username admin privilege 15 password 7 07022F4E5803EA4157444407
!
!
!
archive
log config
hidekeys
!
!
!
!
!
interface ATM0
description Interfaccia WAN Internet - Connessione ADSL
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode ansi-dmt
hold-queue 224 in
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description Interfaccia LAN interna - Gateway predefinito verso Internet
ip address 10.10.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Dialer0
description Interfaccia virtuale - ADSL Alice
ip ddns update hostname xxx.dyndns.org
ip ddns update ddns
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap chap callin
ppp pap sent-username xxxx password 7 1108150C141704EA081726
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat translation timeout 420
ip nat translation tcp-timeout 120
ip nat translation pptp-timeout 420
ip nat translation icmp-timeout 1
ip nat translation max-entries 1000
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static udp 10.10.10.3 4673 interface Dialer0 4673
ip nat inside source static tcp 10.10.10.3 4663 interface Dialer0 4663
!
access-list 1 permit 10.10.10.0 0.0.0.255
!
!
!
!
control-plane
!
end
---------------------------------------------------
Innanzitutto, a parte le ACL, è ok come config?
Inoltre ho creato il NAT per emule:
ip nat inside source static udp 10.10.10.3 4673 interface Dialer0 4673
ip nat inside source static tcp 10.10.10.3 4663 interface Dialer0 4663
Devo crearlo anche per qualcos'altro?
Grazie mille!
Stefano
_______________________________________________
http://www.areanetworking.it
http://www.areanetworking.it/blog
[email protected]
http://ml.areanetworking.it/mailman/listinfo/cug
