Internet Router ACLs -- Recommendations for Transit ACLs

There are various blog entries and RFCs that provide information on transit Internet traffic that should be blocked with ACLs on an Internet router. Yet, I’ve found that they only cover a subset of what should be blocked. The access control lists (ACLs) below have a more comprehensive list of the IP traffic that I’ve blocked along with explanations about why.

The example ACLs are applicable to a scenario where an organization has an Internet-facing router in front of a firewall. Such a router can support routing protocols or interface types that your firewall may not support. In such instances, it is very useful to leverage the packet filtering on the router to take some of the burden off of the firewall and provide a first level of security.

The purpose is to block traffic, such as spoofed IP addresses that should never come from the Internet. Let the router handle the basic filtering so that the firewall can just deal with the hard stuff.

Keep in mind that you probably don’t want to update Internet router ACLs too often. You just want high-level rules that will be fairly constant. To this end, the table below provides example ACLs using Cisco router syntax. These are Interface ACLs (iACL), which are the traditional type of ACL that most Cisco routers support. Such ACLs get applied to the individual interfaces.

The example ACLs are named by the interface they should be applied to and with the direction. For instance, the OUTSIDE_ACL_IN should be applied to the outside interface on the inbound direction. A good rule of thumb for ACL rules is that <permit> rules should specify an IP address or range. It is typically unnecessary to use <any any> (any source address going to any destination address) for <permit> rules.

For the sample rules, <My IP Subnet> refers to your organization’s public IP addresses, for which you may have multiple entries. <My Service Provider Subnet> refers to the separate IP addresses you may have for your outside interface connection to your service provider. The lines that begin with an exclamation <!> are comments that will not be part of the configuration.

Internet Router ACL Examples

! This ACL gets applied to the Inside interface that would connect to your firewall

! It ensures that traffic coming from your organization matches your Public IP range

! Applying this rule is good ‘netiquette’ (i.e. network etiquette)

ip access-list extended INSIDE_ACL_IN

remark Only allow your own public IP address ranges to enter your router out to the Internet

permit ip [My IP Subnet] [My Wildcard Mask, e.g. 0.0.0.255] any

deny ip any any log

--------------------------------------------

! This ACL gets applied to the Outside interface that would connect to your Internet provider

ip access-list extended OUTSIDE_ACL_IN

remark RFC 1918, 3330 and 3704 Filter non-public subnets

deny ip 10.0.0.0 0.255.255.255 any

deny ip 172.16.0.0 0.15.255.255 any

deny ip 192.168.0.0 0.0.255.255 any

deny ip 0.0.0.0 0.255.255.255 any

deny ip 127.0.0.0 0.255.255.255 any

deny ip 162.16.0.0 0.15.255.255 any

deny ip 169.254.0.0 0.0.255.255 any

deny ip 192.0.2.0 0.0.0.255 any

deny ip 224.0.0.0 15.255.255.255 any

deny ip 240.0.0.0 15.255.255.255 any

remark RFC 2827 Filter Spoofed Addresses

deny ip host 0.0.0.0 any

deny ip host 255.255.255.255 any

! your organization may have multiple IP subnets and require multiple lines like in this example

deny ip [My IP Subnet] [My Wildcard Mask, e.g. 0.0.0.255] any

remark Cisco Recommended DoS Filtering

deny 53 any any

deny 55 any any

deny 77 any any

deny pim any any

remark Block unused routing protocols. Don’t block the routing protocol(s) that are used

deny tcp any any eq bgp

deny tcp any eq bgp any

deny ospf any any

deny udp any eq rip any

deny udp any any eq rip

deny eigrp any any

deny ipinip any any

deny gre any any

remark Worm and Virus Filtering of ports that are not typically allowed from Internet

! If your security policy prohibits Internet access to protocols like SNMP, CIFS and SQL, then block them.

deny tcp any any eq 0 log-input

deny udp any any eq 0 log-input

deny tcp any any range 135 139

deny udp any any range 135 netbios-ss

deny udp any any eq snmp

deny udp any any eq snmptrap

deny tcp any any eq 445

deny udp any any eq 445

deny tcp any any eq 901

deny udp any any eq 901

deny tcp any any eq 1080

deny udp any any eq 1080

deny tcp any any range 1433 1434

deny udp any any range 1433 1434

deny tcp any any eq 1900

deny udp any any eq 1900

deny tcp any any eq 3389

deny udp any any eq 3389

deny tcp any any eq 5000

deny udp any any eq 5000

! There are additional higher ports that could be filtered from Trojans.

! However, these can be ever changing, and the ideal would be to have a stateful firewall

! that is blocking everything except what is explicitly permitted.

! If you are looking to explicitly block potential trojans, then you can find suggestions on

! common virus ports to block.

! e.g.
https://www.sans.org/security-resources/idfaq/which-backdoors-live-on-which-ports/8/4

remark IP and ICMP Filtering (allow ICMP between redundant routers and from inside)

! If your organization has redundant routers then you’ll want to allow them to talk to each other

permit ip [Router Inside] [Wildcard Mask, e.g. 0.0.0.7] [Router Inside] [Wildcard Mask, e.g. 0.0.0.7]

permit icmp host [My IP Subnet] [Wildcard Mask, e.g. 0.0.0.255] [Router Inside] [Wildcard Mask, e.g. 0.0.0.7]

permit icmp [My IP Subnet] [Wildcard Mask, e.g. 0.0.0.7] [My IP Subnet] [Wildcard Mask, e.g. 0.0.0.255]

remark Allow particular ICMP packets to support troubleshooting and data flow integrity

permit icmp any [My IP Subnet] [Wildcard Mask, e.g. 0.0.0.255] echo-reply

permit icmp any [My IP Subnet] [Wildcard Mask, e.g. 0.0.0.255] unreachable

permit icmp any [My IP Subnet] [Wildcard Mask, e.g. 0.0.0.255] time-exceeded

permit icmp any [My IP Subnet] [Wildcard Mask, e.g. 0.0.0.255] source-quench

permit icmp any [My IP Subnet] [Wildcard Mask, e.g. 0.0.0.255] packet-too-big

deny icmp any any fragments

deny icmp any any redirect

deny icmp any any

remark Restrict Management Access to Router from Internet

deny tcp any [Router Outside Subnet] [Wildcard Mask, e.g. 0.0.0.3] eq 22 log

deny tcp any [Router Outside Subnet] [Wildcard Mask, e.g. 0.0.0.3] eq telnet log

deny tcp any [Router Outside Subnet] [Wildcard Mask, e.g. 0.0.0.3] eq www log

deny tcp any [Router Outside Subnet] [Wildcard Mask, e.g. 0.0.0.3] eq 443 log

deny tcp any [Router Inside Subnet] [Wildcard Mask e.g. 0.0.0.3] eq 22 log

deny tcp any [Router Inside Subnet] [Wildcard Mask e.g. 0.0.0.3] eq telnet log

deny tcp any [Router Inside Subnet] [Wildcard Mask e.g. 0.0.0.3] eq www log

deny tcp any [Router Inside Subnet] [Wildcard Mask e.g. 0.0.0.3] eq 443 log

remark Permit All Other Inbound Traffic to my IP Addresses

permit ip any [My IP Subnet] [My Wildcard Mask, e.g. 0.0.0.255]

deny ip any any log


Gary Landau

Gary Landau has been leading IT and information security teams for over 25 years as part of startups as well as large global organizations. He is passionate about continuously improving system reliability performance and security. Mr. Landau has an MS in Computer Science, numerous technical certifications such as CISSP and CCNP, and is one of the founding board members and past President of the LA chapter of the Cloud Security Alliance.

More about Gary