We are taking a left turn tonight. I promise though, that we will be back on our old track soon enough. I needed a slight break from my self studies tonight since my job has me running a test gauntlet to make sure I'm ready to take an actual exam soon that my job is relying on. SO! Pressure, is what that really means. Therefore, tonight I'm going to try to explain some of my networking learning instead of continuing down the path of shell scripts and programming. Don't want to overload my own brain with more learning on top of learning so. I'm going to try teaching what I know without myself learning anything new tonight.
A small recap. 'sed' is used in Linux to modify output or "data stream" without actually modifying the file. We learned what the -s means. Substitution. Then, we learned about some regex. With regex, we learned that -d is for digit, while -D is "anything but a digit". In fact, we learned that most of the time, anything that has a lowercase meaning and an uppercase meaning, they are opposites. Lowercase is usually referring to something. The uppercase usually refers to "anything but that something". Tonight though, change!
Tonight we start toward networking. I don't want to stick to just one knowledge topic with this blog so... I think this fits perfectly. I don't want to start at ground zero with networking... I think it best that we start in a middle ground. We are going to assume that, if you are reading this, you have at least some prior networking understanding. Maybe not enough to get your CCNA but probably enough that if you studied a bit, you could get your CCENT (first half of CCNA). In fact, since what I've been learning most recently has been ACLs. I think I'll do that tonight. I know that the topic of ACLs is probably well above the CCENT but, if you're going to work toward taking your CCNA, you need to know them! So why not have a really good understanding of the basics? I'll try to help with that.
First of all, ACLs are confusing as hell. No getting around it. Assume this setup has 2 in use VLANs. Vlan 10 and vlan 20. Vlan 10 is a management vlan, while vlan 20 is the data vlan. What if you wanted to restrict the data vlan from SSH'ing into any of your devices? Well... You don't have to imagine to hard, because that is a completely real thing you will need to know how to do if you are in charge of a network ANYWHERE.
For our example here:
vlan 10 network is 192.168.10.0 /24
vlan 20 network is 192.168.20.0 /24.
So I'll start with what the list will look like, and then break each part down with the formula I use to remember it. If it doesn't make sense to you at the start. Trust me, it didn't to me either!
[ip access-list extended BLOCK_SSH
permit tcp 192.168.10.0 0.0.0.255 any eq 22
deny ip any any log]
Apply this to all 'vty' lines (usually 0 through 15)[line vty 0 15] that you want and you are set! And remember, an ACL ALWAYS READS DOWN, IN ORDER. "It's a first match system, not a 'best match' system."
Now first things first, you may be asking yourself... But how will that block everyone and don't we need to allow more people at the end? Since there's an implicit deny at the end? Well, no. Long story short, we'll get to that in due time. Let's break this down.
Step 1. [ip access-list] = You use this command at the 'config' mode to tell the router or switch that 'Hey, I will be making an access-list and I want you to save it for me.' and that's exactly what the device does.
Step 1a. [ip access-list extended] = You've got to tell the device what KIND of access list. Standard ACLs are limited, but quick and easy. Extended ACLs are more 'narrow' but complex. I know that sounds contradictory but... It's more specific when applying them, but the overall command is more complex. But for this example, we had to use 'extended' because standard doesn't offer a way to block port 22 (SSH).
Step 1b. [ip access-list extended BLOCK_SSH] = You have the option to name them with a word... I recommend this to help keep track of what you make and why you make it. Can't use spaces but you can use underscore. I use all capitals to help it 'pop out' to my eyes when looking for them in a config.
Step 2. [permit tcp] = You have to tell an ACL what to do. It'll either be permitting traffic through, or denying it. Today we chose to 'allow a certain set of guys through' so we are going to permit the specific ones and block the rest. And we chose to permit tcp because SSH operates on TCP. If we were blocking ping, SNMP, or DNS (etc..), we would need to block UDP. You have to know what they use so, helps to know those. (NOTE: If you chose one, then get the rest of the ACL set up, and hit ? at the end of the command after 'eq', it will give you most common options which is helpful. So therefore, it will show you ONLY TCP ones when you have chosen TCP and only UDP ones when UDP is selected.)
Step 2a. [permit tcp 192.168.10.0 0.0.0.255] = OK so we have said, 'Hey, we are permitting something. What you ask? It's going to be a TCP port. OK, what do you want to permit on this TCP port? I want to permit any IP from 192.168.10.0. OK. How will I know what parts of that IP are important?! No worries man, you can use this wildcard mask 0.0.0.255...' Easy enough right? Basically, the IP network we want to specify is 192.168.10.0... How do we determine the part of that IP network that is important? Well a wildcard mask works VERY similarly to a subnet mask so. Easy way to remember that is 'opposite!'... If a /24 is NORMALLY 255.255.255.0.... The opposite would be 0.0.0.255. Just like a subnet mask reads it through as '255, got it. Pay attention here! Zero? Ignore that shit!', the wildcard mask says the opposite... 'Zero?! Man! I gotta pay attention to that! 255? Don't care!' Easy way to look at it.
Step 2b. [permit tcp 192.168.10.0 0.0.0.255 any] = Well where is this headed? What is the destination I should be looking for? Oh, OK they are allowed anywhere on my device or past it... Basically "If this were a block or an allow, where do you want to block or allow to?" Well, we don't care where that network is headed! It's our management network so they have free reign. They are demi-gods in our network! Muahahahahahaha! That's why we allow them anywhere they want to go. But if you so chose... You could sub in a single IP here that allows them ONLY to that IP. But for us, we want them to be able to SSH anywhere!
Step 2c. [permit tcp 192.168.10.0 0.0.0.255 any eq 22] = What TCP port did you want to block or allow again? Oh, port 22 (SSH). Got it.
Step 3. [deny ip any any log] = This can easily be explained in one step using our rules from earlier. What are you doing? Denying something. OK. (IP covers both TCP and UDP) What do you want to deny? BOTH (TCP and UDP)! OK. Got it. Who do you want to block? Anyone. Oh... Seems extreme but OK if you say so... Where do you want to block them from? Anywhere! Well now I KNOW that is very extreme, but OK... Oh, and PS, please log all people that get denied!
So then your list is created! Awesome. But it's just sitting there not doing anything. It's like building a car but never using it. Just building it and saying "Yes, I have all the right parts in the right order. Cool." So once you apply them by putting in this :
[line vty 0 15
access-class BLOCK_SSH in]
That basically says "on the line virtual terminal (y OK I don't know what y means.... Yankees?)(Turns out The Google tells me it means Virtual TeleType, which was an old name for it)... I want you to use the access-list we created called 'BLOCK_SSH' and I want you to filter things that come IN with it..." And since you are ONLY applying it on your VTY lines and not some other interface on the device... It means that 'Hey, I will ONLY check this list when people are trying to telnet or SSH in.' That means that this list will only apply to people trying to do that! Woohoo! Luckily the other requests that go in and out of our device will be left alone! So, it makes our list SO much shorter! That also means that we didn't have to put that [deny any any log] in there but... We did for the sake of 'logging any denied requests'. We want to see the people that try SSH'ing in and aren't allowed.
So, now that we have it all sorted out and explained... Let's try to find a short way to remember these lists instead of reading this whole page every time! (I know I wouldn't want to... This is a LOT of reading!)
ip access-list extended name (easy, ip acc ext and we do extended because it covers the standard ports too!)
permit tcp 'x.x.x.x w.w.w.w' any eq XX (easy again! read it out loud. permit or deny. permit or deny what kind of connection? 'coming from where?' headed to where? how do we match the port? equals a specific port in this case... OK... What port?)
So a short version of the permit or deny part is:
permit/deny | what | who | going where | match how | port to match
If you want to be more broad, the statements only get easier... I want to block all SSH port requests. OK. [deny tcp any any eq 22]... I want to block ALL remote connections to this device, TCP, UDP, or IP.... OK, even easier! [deny any any] So the more broad, the less specific commands it takes to cover it, but the more things get blocked and are harder to fix that way. So be careful! But that should help you remember ACLs at least a little bit better from now on! I hope this helped at least one person understand ACLs a little bit more!
-Mitch
No comments:
Post a Comment