9 Replies Latest reply on Mar 23, 2017 5:06 PM by starfighter

    How do I block a specific IP or subnet ?

    jfoxedge New Member

      I've got a NetVanta 3450.  Pretty basic setup, with a web server and other things on the internal network.  It was originally configured with the firewall wizard, so I've got the "public" and "private" security zones set up.

       

      Today I had a problem with someone from the outside repeatedly submitting a form on my website attempting a SQL injection.  I know I could block him in the script for the form submission, but thought it would be easy just to add a filter rule to the router.  I found that I couldn't get that to work at all.

       

      In the "public" zone, I tried creating a "Filter" policy specifying the exact source IP address 113.23.8.217/255.255.255.255 and when that failed, I tried setting to a whole subnet like 113.23.0.0/255.255.0.0.  That didn't work.

      (Each time I created a policy, I did move it to the top of the list of all my policies)

       

      After that didn't work, I tried creating an "Advanced" policy, using "Discard" as the action, and specifying both the IP and the sub in the Traffic Selector.  Not being sure, I even tried with the traffic selector set to Type "Deny" and "Permit".

       

      I tried creating the filters in the "Private" zone, although I'm pretty sure that's not right.

       

      What am I doing wrong?  How do I block a certain address from getting into my web server (or anything else for that matter)?

       

      Any help would be greatly appreciated.  Thanks!

        • Re: How do I block a specific IP or subnet ?
          petersjncv Visitor

          Can you post the CLI configuration of your ACL's, public policy and private policy?

           

          I just posted an update right when you posted your config.  I'll take a look and repost.  Thanks.

           

          Message was edited by: petersjncv

          • Re: How do I block a specific IP or subnet ?
            jfoxedge New Member

            Hopefully this is what you want.  This is the entire config.  If you need anything else, please give me some instrucs on how to get it.

             

            !

            ! ADTRAN, Inc. OS version 17.08.03.01.E

            ! Boot ROM version 17.06.01.00

            ! Platform: NetVanta 3450, part number 1200823G1

            ! Serial number LBADTN0929AH011

            !

            !

            hostname "NV3450"

            enable password XXXXXX

            !

            clock timezone -6-Central-Time

            !

            ip subnet-zero

            ip classless

            ip routing

            !

             

            !

             

            ip domain-proxy

            !

            !

            no auto-config

             

            event-history on

            no logging forwarding

            logging forwarding priority-level info

            no logging email

            !

            no service password-encryption

            !

            username "administrator" password "XXXXXX"

            username "admin" password "XXXXXX"

            username "vpnuser" password "XXXXXX"

            username "remotevpn" password "XXXXXX"

            username "vpnaccess" password "XXXXXX"

            !

             

             

            #

            !

            !

            ip firewall

            no ip firewall alg msn

            no ip firewall alg mszone

            no ip firewall alg h323

            !

            aaa on

            ftp authentication LoginUseLocalUsers

            !

            !

            aaa authentication login LoginUseTacacs group tacacs+

            aaa authentication login LoginUseRadius group radius

            aaa authentication login LoginUseLocalUsers local

            aaa authentication login LoginUseLinePass line

            !

            aaa authentication enable default enable

            !

            !

            !

             

            no dot11ap access-point-control

            !

            !

            !

            !

            !

            !

            !

            ip crypto

            !

            crypto ike client configuration pool RemoteCS

            !

            crypto ike policy 100

              no initiate

              respond anymode

              local-id address 10.0.0.16

              peer any

              client configuration pool RemoteCS

              attribute 1

                hash md5

                authentication pre-share

              attribute 2

               encryption 3des

                hash md5

                authentication pre-share

            !

            crypto ike remote-id fqdn 65.103.165.0 preshared-key XXXXXXXXXXXXXXX ike-policy 100 no-mode-config no-xauth

            crypto ike remote-id any preshared-key XXXXXXXXXXXXXXX ike-policy 100 crypto map VPN 10 no-mode-config no-xauth

            !

            crypto ipsec transform-set esp-3des-esp-md5-hmac esp-3des esp-md5-hmac

              mode tunnel

            !

            crypto map VPN 10 ipsec-ike

              description Retail 2

              match address VPN-10-vpn-selectors

              set transform-set esp-3des-esp-md5-hmac

              ike-policy 100

            !

            !

            !

            !

            !

            no ethernet cfm

             

            interface eth 0/1

              description Local

              ip address  10.0.0.16  255.255.0.0

              ip address  10.100.0.1  255.255.255.0  secondary

              ip address  192.168.168.1  255.255.255.0  secondary

              access-policy Private

              media-gateway ip primary

              no shutdown

            !

            !

            interface eth 0/2

              description Fiber

              ip address  XXX.XX.XXX.61  255.255.255.0

              ip address range  XXX.XX.XXX.46  XXX.XX.XXX.54  255.255.255.0  secondary

              ip address  XXX.XX.XXX.56  255.255.255.0  secondary

              ip address range  XXX.XX.XXX.58  XXX.XX.XXX.60  255.255.255.0  secondary

              access-policy Public

              crypto map VPN

              no awcp

              no shutdown

            !

            !

            !

            !

            ip access-list standard wizard-ics

              remark NAT list wizard-ics

              deny   10.0.10.0 0.0.0.255 log

              permit 10.0.5.0 0.0.0.255 log

              permit 10.0.15.0 0.0.0.255 log

              permit host 10.0.0.135 log

              permit 10.0.11.0 0.0.0.255 log

              permit 192.168.168.0 0.0.0.255 log

              deny   any

            !

            !

            ip access-list extended VPN-10-vpn-selectors

              permit ip 10.0.0.0 0.0.255.255  192.168.141.0 0.0.0.255  

              permit ip 10.0.0.0 0.0.255.255  10.140.0.0 0.0.0.255  

              permit ip 10.0.0.0 0.0.255.255  10.1.0.0 0.0.0.255  

              permit ip 10.0.0.0 0.0.255.255  10.2.0.0 0.0.0.255  

              permit ip 10.0.0.0 0.0.255.255  10.13.0.0 0.0.0.255  

              permit ip 10.0.0.0 0.0.255.255  10.15.0.0 0.0.0.255  

              permit ip 10.0.0.0 0.0.255.255  10.12.0.0 0.0.255.255  

            !

            ip access-list extended web-acl-10

              remark .52:web -> .40 store/referee/eflyer

              permit tcp any  host XXX.XX.XXX.52 eq www   log

              permit tcp any  host XXX.XX.XXX.52 eq https   log

              permit tcp any  host XXX.XX.XXX.52 eq 2121   log

            !

            ip access-list extended web-acl-11

              remark .46/48:25 -> .9 Barracuda In

              permit tcp any  host XXX.XX.XXX.46 eq smtp   log

              permit tcp any  host XXX.XX.XXX.48 eq smtp   log

            !

            ip access-list extended web-acl-12

              remark .51:13389 ->.49 remote for Alan

              permit tcp any  host XXX.XX.XXX.51 eq 13389   log

            !

            ip access-list extended web-acl-13

              remark .51:22600 -> .252 Camera Server

              permit tcp any  host XXX.XX.XXX.51 range 22600 22620   log

              permit udp any  host XXX.XX.XXX.51 range 22600 22620    log

             

            ip access-list extended web-acl-14

              remark .51:13289 -> .34 Jill Remote Access

              permit tcp any  host XXX.XX.XXX.51 eq 13289   log

            !

            ip access-list extended web-acl-16

              remark Email Outbound

              deny   ip host 10.0.0.12  any     log

              deny   ip host 10.0.0.26  any     log

              permit ip host 10.0.0.35  any     log

              permit ip host 10.0.0.11  any     log

            !

            ip access-list extended web-acl-17

              remark ArgoRelay Out

              permit ip host 10.0.0.2  any     log

            !

            ip access-list extended web-acl-18

              remark .59:XXXXX ->.28  Into My PC

              permit tcp any  host XXX.XX.XXX.59 eq XXXXX   log

            !

            ip access-list extended web-acl-19

              remark .53:80 -> .38 Eflyer Redirect  ADDED

              permit tcp any  host XXX.XX.XXX.53 eq www   log

             

            ip access-list extended web-acl-20

              remark Exchange Outbound

              permit ip host 10.0.0.12  any     log

              permit ip host 10.0.0.26  any     log

              permit ip host 10.0.5.20  any     log

              permit ip 10.0.85.0 0.0.0.255  any     log

              permit ip host 10.0.11.172  any     log

              permit ip host 10.0.11.173  any     log

              permit ip host 10.0.11.180  any     log

              permit ip host 10.0.11.181  any     log

            !

            ip access-list extended web-acl-21

              remark .60:80 -> 11.172 Ex2003 FE

              permit tcp any  host XXX.XX.XXX.60 eq www   log

              permit tcp any  host XXX.XX.XXX.60 eq https   log

              permit tcp any  host XXX.XX.XXX.60 eq pop3   log

              permit tcp any  host XXX.XX.XXX.60 eq 143   log

            !

            ip access-list extended web-acl-22

              remark .46:9925 -> .5.101 Open SMTP

              permit tcp any  host XXX.XX.XXX.46 eq 9925   log

              deny   tcp any  host XXX.XX.XXX.46 eq 465   log

             

            ip access-list extended web-acl-23

              remark .47:web -> .11.180 Exch MOBILE

              permit tcp any  host XXX.XX.XXX.47 eq www   log

              permit tcp any  host XXX.XX.XXX.47 eq https   log

              permit tcp any  host XXX.XX.XXX.47 eq 143   log

              permit tcp any  host XXX.XX.XXX.47 eq pop3   log

            !

            ip access-list extended web-acl-24

              remark .51:13391 ->.7.10 remote for Island

              permit tcp any  host XXX.XX.XXX.51 eq 13391   log

            !

            ip access-list extended web-acl-26

              remark Allow 80 & 443 On 10.0.10.x Wkstns

              permit tcp 10.0.10.0 0.0.0.255  any eq www   log

              permit tcp 10.0.10.0 0.0.0.255  any eq https   log

              permit tcp 10.0.10.0 0.0.0.255  any eq 2525   log

            !

            ip access-list extended web-acl-27

              remark IT out on .52

              permit ip 10.0.11.0 0.0.0.255  any     log

              permit ip host 10.0.188.231  any     log

              permit ip host 10.0.0.231  any     log

              permit ip 10.100.0.0 0.0.0.255  any     log

              permit ip host 10.0.0.9  any     log

              permit ip host 10.0.0.6  any     log

              permit ip 10.0.85.0 0.0.0.255  any     log

              permit tcp host 10.0.0.32  any    log

              permit ip host 10.0.7.10  any     log

              permit ip host 10.0.0.223  any     log

              permit ip host 10.0.0.31  any     log

            !

            ip access-list extended web-acl-28

              remark .51:13988 -> .244 Phil Remote

              permit tcp any  host XXX.XX.XXX.51 eq 13988   log

            !

            ip access-list extended web-acl-29

              remark .59 BRYAN STT into MAS

              deny   tcp any  host XXX.XX.XXX.59 eq 13389   log

            !

            ip access-list extended web-acl-30

              remark Kill Hack Attempt

              permit ip host 113.23.8.217  any  

            !

            ip access-list extended web-acl-31

              remark Hacks

              permit ip 212.92.0.0 0.0.255.255  any  

            !

            ip access-list extended web-acl-32

              remark .46 -> 11.172 WEBMAIL 03CAS

              permit tcp any  host XXX.XX.XXX.46 eq www   log

              permit tcp any  host XXX.XX.XXX.46 eq https   log

              permit tcp any  host XXX.XX.XXX.46 eq 143   log

              permit tcp any  host XXX.XX.XXX.46 eq pop3   log

            !

            ip access-list extended web-acl-33

              remark CS .59 Inbound

              deny   tcp any  host XXX.XX.XXX.59 eq www   log

              permit tcp any  host XXX.XX.XXX.59 range 29000 29050   log

              permit udp any  host XXX.XX.XXX.59 range 29000 29050    log

            !

            ip access-list extended web-acl-34

              remark CS .59 out

              permit ip host 10.0.85.170  any     log

            !

            ip access-list extended web-acl-35

              remark E-Vault Outbound

              permit tcp any  any eq 2547   log

              permit tcp any  any eq 12547   log

              permit tcp any  any eq 2546   log

              permit tcp any  any eq 807   log

              permit tcp any  any range 8086 8089   log

              permit tcp any  any eq 9997   log

            !

            ip access-list extended web-acl-37

              remark NamesNumbersForm

              permit ip 96.47.224.0 0.0.0.255  any  

            !

            ip access-list extended web-acl-39

              remark NamesNumsProblem

              deny   ip host 113.23.8.217  any     log

            !

            ip access-list extended web-acl-40

              remark NameNumHck

              permit ip 113.23.0.0 0.0.255.255  any  

            !

            ip access-list extended web-acl-43

              remark IP Phone PF

              permit ip any  host XXX.XX.XXX.58     log

            !

            ip access-list extended web-acl-45

              remark .54 -> .37 image.TGE.com

              permit tcp any  host XXX.XX.XXX.54 eq www   log

            !

            ip access-list extended web-acl-47

              remark Cell Relay Outbound

              permit ip host 10.0.5.101  any     log

            !

            ip access-list extended web-acl-5

              remark .46:80,143 -> .12 Email  WEBMAIL

              permit tcp any  host XXX.XX.XXX.46 eq www   log

              permit tcp any  host XXX.XX.XXX.46 eq 143   log

              permit tcp any  host XXX.XX.XXX.46 eq pop3   log

            !

            ip access-list extended web-acl-6

              remark .48:53 -> .251 DNS -> VServer

              permit tcp any  host XXX.XX.XXX.48 eq domain   log

              permit udp any  host XXX.XX.XXX.48 eq domain    log

            !

            ip access-list extended web-acl-7

              remark .49:80,443,21 -> .35 Mainweb - www.XXX.com

              permit tcp any  host XXX.XX.XXX.49 eq www   log

              permit tcp any  host XXX.XX.XXX.49 eq https   log

              permit tcp any  host XXX.XX.XXX.49 eq 2121   log

            !

            ip access-list extended web-acl-8

              remark .50:80 -> .36 art/designs/remote

              permit tcp any  host XXX.XX.XXX.50 eq www   log

              permit tcp any  host XXX.XX.XXX.50 eq 2121   log

            !

            ip access-list extended web-acl-9

              remark .51:80,443 -> .39 XXXX.com

              permit tcp any  host XXX.XX.XXX.51 eq www   log

              permit tcp any  host XXX.XX.XXX.51 eq https   log

            !

            !

            ip policy-class Private

              discard list web-acl-40

              allow list VPN-10-vpn-selectors stateless

              nat source list web-acl-47 address XXX.XX.XXX.59 overload

              nat source list web-acl-35 address XXX.XX.XXX.52 overload

              nat source list web-acl-20 address XXX.XX.XXX.48 overload

              nat source list web-acl-27 address XXX.XX.XXX.52 overload

              nat source list web-acl-34 address XXX.XX.XXX.59 overload

              nat source list web-acl-16 address XXX.XX.XXX.46 overload

              nat source list web-acl-17 address XXX.XX.XXX.46 overload

              nat source list web-acl-26 address XXX.XX.XXX.51 overload

              nat source list wizard-ics address XXX.XX.XXX.51 overload

            !

            ip policy-class Public

              discard list web-acl-39

              discard list web-acl-30

              discard list web-acl-37

              discard list web-acl-31

              allow reverse list VPN-10-vpn-selectors stateless

              nat destination list web-acl-19 address 10.0.0.40

              nat destination list web-acl-32 address 10.0.11.180

              nat destination list web-acl-5 address 10.0.0.12

              nat destination list web-acl-6 address 10.0.0.11

              nat destination list web-acl-7 address 10.0.0.35

              nat destination list web-acl-8 address 10.0.0.36

              nat destination list web-acl-9 address 10.0.0.39

              nat destination list web-acl-10 address 10.0.0.40

              nat destination list web-acl-11 address 10.0.0.9

              nat destination list web-acl-12 address 10.0.10.35 port 3389

              nat destination list web-acl-13 address 10.0.0.252

              nat destination list web-acl-14 address 10.0.0.34 port 3389

              nat destination list web-acl-18 address 10.0.11.28 port 3389

              nat destination list web-acl-21 address 10.0.11.172

              nat destination list web-acl-22 address 10.0.5.101

              nat destination list web-acl-23 address 10.0.11.180

              nat destination list web-acl-24 address 10.0.7.10 port 3389

              nat destination list web-acl-28 address 10.0.0.244 port 3389

              nat destination list web-acl-29 address 10.0.188.231 port 5900

              nat destination list web-acl-33 address 10.0.85.170

              nat destination list web-acl-43 address 10.0.0.233

              nat destination list web-acl-45 address 10.0.0.37

            !

            !

            !

            ip route 0.0.0.0 0.0.0.0 XXX.XX.XXX.1

            !

            no ip tftp server

            no ip tftp server overwrite

            ip http authentication LoginUseLocalUsers

            ip http server

            ip http secure-server

            no ip snmp agent

            no ip ftp server

            ip ftp server default-filesystem flash

            no ip scp server

            no ip sntp server

            !

            !

            !

             

            !

             

            !

            !

            line con 0

              login authentication LoginUseLinePass

            !

            line telnet 0 4

              login authentication LoginUseLinePass

              password XXXXXX

              no shutdown

            line ssh 0 4

              login authentication LoginUseLocalUsers

              no shutdown

            !

            !

            !

            !

            !

              • Re: How do I block a specific IP or subnet ?
                petersjncv Visitor

                Your ACL's are correct.  I believe you need to simply apply the lists to "self" in the policy.  Applying "self" should "Discard packets permitted by ACL and destined for any local interface". 

                 

                ip policy-class Public

                  discard list web-acl-39 self

                  discard list web-acl-30 self

                  discard list web-acl-37 self

                  discard list web-acl-31 self

                  allow reverse list VPN-10-vpn-selectors stateless

                  nat destination list web-acl-19 address 10.0.0.40

                  nat destination list web-acl-32 address 10.0.11.180

              • Re: How do I block a specific IP or subnet ?
                jfoxedge New Member

                petersjncv, thanks for all the help so far.  Your information has been helpful, and allowed me to do some more testing, and I have learned some new things regarding this.  The problem is not completely solved yet, in part because my understanding of the problem was not exactly correct.

                 

                I did set the "Destination Security Zone" to "Self Bound", and it worked.  The IP was blocked.  However, switching it back to "Any Security Zone" also effectively block the remote IP.  (This is all in the "Advanced" policy).  So I went back, and set up just a simple "Filter" policy, and that as well worked (blocked the IP).  It appears that all the things I thought were not working when I made this post are, in fact, working correctly.

                 

                Digging into this further, from the remote IP, with it not being blocked, I open Internet Explorer and open a website that is internal to my network. Page comes up fine.

                 

                Next I add a normal "Filter" policy to my Public security zone.  From the remote IP, I can click links and continue to browse around the website on my internal network, appearing that the specified IP is NOT being blocked/filtered.

                 

                However, if at the remote IP I happen to click a link that opens a new browser window, then the connection is lost and IE says "can't display the page" and I find I can no longer get to the site through the NetVanta.

                 

                I have confirmed that this behavior is not due to browser cache or anything else on the client side. I've also confirmed that the behavior is the same whether I use a "filter" policy, or an "advanced" policy with destination set to "Any" or "self". 

                 

                Once IE makes a connection through the NetVanta, it appears to be able to keep that connection alive even though a filter is added in the NetVanta for that remote IP.

                 

                This also explains the reason I made the original post.  The person/script attempting to hack one of our sites was able to keep the connection alive, so even though I had created filters in various ways, they were able to maintain their connection through the firewall.

                 

                So my original question, had I known this, should have been something more like "How do I stop an active intrusion attempt from a remote IP at the time it's going on?".  Or maybe "How do I stop an active connection through my router?".  I don't know the right way to ask, but I hope this makes sense, it would be good to know how to do.

                 

                Thanks!

                  • Re: How do I block a specific IP or subnet ?
                    petersjncv Visitor

                    That sounds more like an open connection issue.  When you create firewall rules or policies, the new rules do not affect connections that are already open through the firewall.  An open TCP connection on port 80 (http) would stay open until the connection itself times out (10 minutes by default on Adtran) or the connections are reset.  Thus when you click a link to open a new page, this creates a new connection that is blocked by the now in place rule but the open connection from the original page remains.

                     

                    If you go to Security->Dashboard, you can see statistics for open connections.  You should be able to manually reset your open connections after you change a rule, but I don't see where to do it in the GUI.  I don't typically use the GUI but in the CLI you can issue "clear ip policy-sessions" and it will reset any connections open through the router.