cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
New Contributor

How do I block a specific IP or subnet ?

Jump to solution

I've got a NetVanta 3450.  Pretty basic setup, with a web server and other things on the internal network.  It was originally configured with the firewall wizard, so I've got the "public" and "private" security zones set up.

Today I had a problem with someone from the outside repeatedly submitting a form on my website attempting a SQL injection.  I know I could block him in the script for the form submission, but thought it would be easy just to add a filter rule to the router.  I found that I couldn't get that to work at all.

In the "public" zone, I tried creating a "Filter" policy specifying the exact source IP address 113.23.8.217/255.255.255.255 and when that failed, I tried setting to a whole subnet like 113.23.0.0/255.255.0.0.  That didn't work.

(Each time I created a policy, I did move it to the top of the list of all my policies)

After that didn't work, I tried creating an "Advanced" policy, using "Discard" as the action, and specifying both the IP and the sub in the Traffic Selector.  Not being sure, I even tried with the traffic selector set to Type "Deny" and "Permit".

I tried creating the filters in the "Private" zone, although I'm pretty sure that's not right.

What am I doing wrong?  How do I block a certain address from getting into my web server (or anything else for that matter)?

Any help would be greatly appreciated.  Thanks!

Labels (1)
0 Kudos
Reply
1 Solution

Accepted Solutions
Highlighted
Contributor
Contributor

Re: How do I block a specific IP or subnet ?

Jump to solution

That sounds more like an open connection issue.  When you create firewall rules or policies, the new rules do not affect connections that are already open through the firewall.  An open TCP connection on port 80 (http) would stay open until the connection itself times out (10 minutes by default on Adtran) or the connections are reset.  Thus when you click a link to open a new page, this creates a new connection that is blocked by the now in place rule but the open connection from the original page remains.

If you go to Security->Dashboard, you can see statistics for open connections.  You should be able to manually reset your open connections after you change a rule, but I don't see where to do it in the GUI.  I don't typically use the GUI but in the CLI you can issue "clear ip policy-sessions" and it will reset any connections open through the router.

View solution in original post

0 Kudos
Reply
9 Replies
Highlighted
Contributor
Contributor

Re: How do I block a specific IP or subnet ?

Jump to solution

Can you post the CLI configuration of your ACL's, public policy and private policy?

I just posted an update right when you posted your config.  I'll take a look and repost.  Thanks.

Message was edited by: petersjncv

0 Kudos
Reply
Highlighted
New Contributor

Re: How do I block a specific IP or subnet ?

Jump to solution

Hopefully this is what you want.  This is the entire config.  If you need anything else, please give me some instrucs on how to get it.

!

! ADTRAN, Inc. OS version 17.08.03.01.E

! Boot ROM version 17.06.01.00

! Platform: NetVanta 3450, part number 1200823G1

! Serial number LBADTN0929AH011

!

!

hostname "NV3450"

enable password XXXXXX

!

clock timezone -6-Central-Time

!

ip subnet-zero

ip classless

ip routing

!

!

ip domain-proxy

!

!

no auto-config

event-history on

no logging forwarding

logging forwarding priority-level info

no logging email

!

no service password-encryption

!

username "administrator" password "XXXXXX"

username "admin" password "XXXXXX"

username "vpnuser" password "XXXXXX"

username "remotevpn" password "XXXXXX"

username "vpnaccess" password "XXXXXX"

!

#

!

!

ip firewall

no ip firewall alg msn

no ip firewall alg mszone

no ip firewall alg h323

!

aaa on

ftp authentication LoginUseLocalUsers

!

!

aaa authentication login LoginUseTacacs group tacacs+

aaa authentication login LoginUseRadius group radius

aaa authentication login LoginUseLocalUsers local

aaa authentication login LoginUseLinePass line

!

aaa authentication enable default enable

!

!

!

no dot11ap access-point-control

!

!

!

!

!

!

!

ip crypto

!

crypto ike client configuration pool RemoteCS

!

crypto ike policy 100

  no initiate

  respond anymode

  local-id address 10.0.0.16

  peer any

  client configuration pool RemoteCS

  attribute 1

    hash md5

    authentication pre-share

  attribute 2

   encryption 3des

    hash md5

    authentication pre-share

!

crypto ike remote-id fqdn 65.103.165.0 preshared-key XXXXXXXXXXXXXXX ike-policy 100 no-mode-config no-xauth

crypto ike remote-id any preshared-key XXXXXXXXXXXXXXX ike-policy 100 crypto map VPN 10 no-mode-config no-xauth

!

crypto ipsec transform-set esp-3des-esp-md5-hmac esp-3des esp-md5-hmac

  mode tunnel

!

crypto map VPN 10 ipsec-ike

  description Retail 2

  match address VPN-10-vpn-selectors

  set transform-set esp-3des-esp-md5-hmac

  ike-policy 100

!

!

!

!

!

no ethernet cfm

interface eth 0/1

  description Local

  ip address  10.0.0.16  255.255.0.0

  ip address  10.100.0.1  255.255.255.0  secondary

  ip address  192.168.168.1  255.255.255.0  secondary

  access-policy Private

  media-gateway ip primary

  no shutdown

!

!

interface eth 0/2

  description Fiber

  ip address  XXX.XX.XXX.61  255.255.255.0

  ip address range  XXX.XX.XXX.46  XXX.XX.XXX.54  255.255.255.0  secondary

  ip address  XXX.XX.XXX.56  255.255.255.0  secondary

  ip address range  XXX.XX.XXX.58  XXX.XX.XXX.60  255.255.255.0  secondary

  access-policy Public

  crypto map VPN

  no awcp

  no shutdown

!

!

!

!

ip access-list standard wizard-ics

  remark NAT list wizard-ics

  deny   10.0.10.0 0.0.0.255 log

  permit 10.0.5.0 0.0.0.255 log

  permit 10.0.15.0 0.0.0.255 log

  permit host 10.0.0.135 log

  permit 10.0.11.0 0.0.0.255 log

  permit 192.168.168.0 0.0.0.255 log

  deny   any

!

!

ip access-list extended VPN-10-vpn-selectors

  permit ip 10.0.0.0 0.0.255.255  192.168.141.0 0.0.0.255  

  permit ip 10.0.0.0 0.0.255.255  10.140.0.0 0.0.0.255  

  permit ip 10.0.0.0 0.0.255.255  10.1.0.0 0.0.0.255  

  permit ip 10.0.0.0 0.0.255.255  10.2.0.0 0.0.0.255  

  permit ip 10.0.0.0 0.0.255.255  10.13.0.0 0.0.0.255  

  permit ip 10.0.0.0 0.0.255.255  10.15.0.0 0.0.0.255  

  permit ip 10.0.0.0 0.0.255.255  10.12.0.0 0.0.255.255  

!

ip access-list extended web-acl-10

  remark .52:web -> .40 store/referee/eflyer

  permit tcp any  host XXX.XX.XXX.52 eq www   log

  permit tcp any  host XXX.XX.XXX.52 eq https   log

  permit tcp any  host XXX.XX.XXX.52 eq 2121   log

!

ip access-list extended web-acl-11

  remark .46/48:25 -> .9 Barracuda In

  permit tcp any  host XXX.XX.XXX.46 eq smtp   log

  permit tcp any  host XXX.XX.XXX.48 eq smtp   log

!

ip access-list extended web-acl-12

  remark .51:13389 ->.49 remote for Alan

  permit tcp any  host XXX.XX.XXX.51 eq 13389   log

!

ip access-list extended web-acl-13

  remark .51:22600 -> .252 Camera Server

  permit tcp any  host XXX.XX.XXX.51 range 22600 22620   log

  permit udp any  host XXX.XX.XXX.51 range 22600 22620    log

ip access-list extended web-acl-14

  remark .51:13289 -> .34 Jill Remote Access

  permit tcp any  host XXX.XX.XXX.51 eq 13289   log

!

ip access-list extended web-acl-16

  remark Email Outbound

  deny   ip host 10.0.0.12  any     log

  deny   ip host 10.0.0.26  any     log

  permit ip host 10.0.0.35  any     log

  permit ip host 10.0.0.11  any     log

!

ip access-list extended web-acl-17

  remark ArgoRelay Out

  permit ip host 10.0.0.2  any     log

!

ip access-list extended web-acl-18

  remark .59:XXXXX ->.28  Into My PC

  permit tcp any  host XXX.XX.XXX.59 eq XXXXX   log

!

ip access-list extended web-acl-19

  remark .53:80 -> .38 Eflyer Redirect  ADDED

  permit tcp any  host XXX.XX.XXX.53 eq www   log

ip access-list extended web-acl-20

  remark Exchange Outbound

  permit ip host 10.0.0.12  any     log

  permit ip host 10.0.0.26  any     log

  permit ip host 10.0.5.20  any     log

  permit ip 10.0.85.0 0.0.0.255  any     log

  permit ip host 10.0.11.172  any     log

  permit ip host 10.0.11.173  any     log

  permit ip host 10.0.11.180  any     log

  permit ip host 10.0.11.181  any     log

!

ip access-list extended web-acl-21

  remark .60:80 -> 11.172 Ex2003 FE

  permit tcp any  host XXX.XX.XXX.60 eq www   log

  permit tcp any  host XXX.XX.XXX.60 eq https   log

  permit tcp any  host XXX.XX.XXX.60 eq pop3   log

  permit tcp any  host XXX.XX.XXX.60 eq 143   log

!

ip access-list extended web-acl-22

  remark .46:9925 -> .5.101 Open SMTP

  permit tcp any  host XXX.XX.XXX.46 eq 9925   log

  deny   tcp any  host XXX.XX.XXX.46 eq 465   log

ip access-list extended web-acl-23

  remark .47:web -> .11.180 Exch MOBILE

  permit tcp any  host XXX.XX.XXX.47 eq www   log

  permit tcp any  host XXX.XX.XXX.47 eq https   log

  permit tcp any  host XXX.XX.XXX.47 eq 143   log

  permit tcp any  host XXX.XX.XXX.47 eq pop3   log

!

ip access-list extended web-acl-24

  remark .51:13391 ->.7.10 remote for Island

  permit tcp any  host XXX.XX.XXX.51 eq 13391   log

!

ip access-list extended web-acl-26

  remark Allow 80 & 443 On 10.0.10.x Wkstns

  permit tcp 10.0.10.0 0.0.0.255  any eq www   log

  permit tcp 10.0.10.0 0.0.0.255  any eq https   log

  permit tcp 10.0.10.0 0.0.0.255  any eq 2525   log

!

ip access-list extended web-acl-27

  remark IT out on .52

  permit ip 10.0.11.0 0.0.0.255  any     log

  permit ip host 10.0.188.231  any     log

  permit ip host 10.0.0.231  any     log

  permit ip 10.100.0.0 0.0.0.255  any     log

  permit ip host 10.0.0.9  any     log

  permit ip host 10.0.0.6  any     log

  permit ip 10.0.85.0 0.0.0.255  any     log

  permit tcp host 10.0.0.32  any    log

  permit ip host 10.0.7.10  any     log

  permit ip host 10.0.0.223  any     log

  permit ip host 10.0.0.31  any     log

!

ip access-list extended web-acl-28

  remark .51:13988 -> .244 Phil Remote

  permit tcp any  host XXX.XX.XXX.51 eq 13988   log

!

ip access-list extended web-acl-29

  remark .59 BRYAN STT into MAS

  deny   tcp any  host XXX.XX.XXX.59 eq 13389   log

!

ip access-list extended web-acl-30

  remark Kill Hack Attempt

  permit ip host 113.23.8.217  any  

!

ip access-list extended web-acl-31

  remark Hacks

  permit ip 212.92.0.0 0.0.255.255  any  

!

ip access-list extended web-acl-32

  remark .46 -> 11.172 WEBMAIL 03CAS

  permit tcp any  host XXX.XX.XXX.46 eq www   log

  permit tcp any  host XXX.XX.XXX.46 eq https   log

  permit tcp any  host XXX.XX.XXX.46 eq 143   log

  permit tcp any  host XXX.XX.XXX.46 eq pop3   log

!

ip access-list extended web-acl-33

  remark CS .59 Inbound

  deny   tcp any  host XXX.XX.XXX.59 eq www   log

  permit tcp any  host XXX.XX.XXX.59 range 29000 29050   log

  permit udp any  host XXX.XX.XXX.59 range 29000 29050    log

!

ip access-list extended web-acl-34

  remark CS .59 out

  permit ip host 10.0.85.170  any     log

!

ip access-list extended web-acl-35

  remark E-Vault Outbound

  permit tcp any  any eq 2547   log

  permit tcp any  any eq 12547   log

  permit tcp any  any eq 2546   log

  permit tcp any  any eq 807   log

  permit tcp any  any range 8086 8089   log

  permit tcp any  any eq 9997   log

!

ip access-list extended web-acl-37

  remark NamesNumbersForm

  permit ip 96.47.224.0 0.0.0.255  any  

!

ip access-list extended web-acl-39

  remark NamesNumsProblem

  deny   ip host 113.23.8.217  any     log

!

ip access-list extended web-acl-40

  remark NameNumHck

  permit ip 113.23.0.0 0.0.255.255  any  

!

ip access-list extended web-acl-43

  remark IP Phone PF

  permit ip any  host XXX.XX.XXX.58     log

!

ip access-list extended web-acl-45

  remark .54 -> .37 image.TGE.com

  permit tcp any  host XXX.XX.XXX.54 eq www   log

!

ip access-list extended web-acl-47

  remark Cell Relay Outbound

  permit ip host 10.0.5.101  any     log

!

ip access-list extended web-acl-5

  remark .46:80,143 -> .12 Email  WEBMAIL

  permit tcp any  host XXX.XX.XXX.46 eq www   log

  permit tcp any  host XXX.XX.XXX.46 eq 143   log

  permit tcp any  host XXX.XX.XXX.46 eq pop3   log

!

ip access-list extended web-acl-6

  remark .48:53 -> .251 DNS -> VServer

  permit tcp any  host XXX.XX.XXX.48 eq domain   log

  permit udp any  host XXX.XX.XXX.48 eq domain    log

!

ip access-list extended web-acl-7

  remark .49:80,443,21 -> .35 Mainweb - www.XXX.com

  permit tcp any  host XXX.XX.XXX.49 eq www   log

  permit tcp any  host XXX.XX.XXX.49 eq https   log

  permit tcp any  host XXX.XX.XXX.49 eq 2121   log

!

ip access-list extended web-acl-8

  remark .50:80 -> .36 art/designs/remote

  permit tcp any  host XXX.XX.XXX.50 eq www   log

  permit tcp any  host XXX.XX.XXX.50 eq 2121   log

!

ip access-list extended web-acl-9

  remark .51:80,443 -> .39 XXXX.com

  permit tcp any  host XXX.XX.XXX.51 eq www   log

  permit tcp any  host XXX.XX.XXX.51 eq https   log

!

!

ip policy-class Private

  discard list web-acl-40

  allow list VPN-10-vpn-selectors stateless

  nat source list web-acl-47 address XXX.XX.XXX.59 overload

  nat source list web-acl-35 address XXX.XX.XXX.52 overload

  nat source list web-acl-20 address XXX.XX.XXX.48 overload

  nat source list web-acl-27 address XXX.XX.XXX.52 overload

  nat source list web-acl-34 address XXX.XX.XXX.59 overload

  nat source list web-acl-16 address XXX.XX.XXX.46 overload

  nat source list web-acl-17 address XXX.XX.XXX.46 overload

  nat source list web-acl-26 address XXX.XX.XXX.51 overload

  nat source list wizard-ics address XXX.XX.XXX.51 overload

!

ip policy-class Public

  discard list web-acl-39

  discard list web-acl-30

  discard list web-acl-37

  discard list web-acl-31

  allow reverse list VPN-10-vpn-selectors stateless

  nat destination list web-acl-19 address 10.0.0.40

  nat destination list web-acl-32 address 10.0.11.180

  nat destination list web-acl-5 address 10.0.0.12

  nat destination list web-acl-6 address 10.0.0.11

  nat destination list web-acl-7 address 10.0.0.35

  nat destination list web-acl-8 address 10.0.0.36

  nat destination list web-acl-9 address 10.0.0.39

  nat destination list web-acl-10 address 10.0.0.40

  nat destination list web-acl-11 address 10.0.0.9

  nat destination list web-acl-12 address 10.0.10.35 port 3389

  nat destination list web-acl-13 address 10.0.0.252

  nat destination list web-acl-14 address 10.0.0.34 port 3389

  nat destination list web-acl-18 address 10.0.11.28 port 3389

  nat destination list web-acl-21 address 10.0.11.172

  nat destination list web-acl-22 address 10.0.5.101

  nat destination list web-acl-23 address 10.0.11.180

  nat destination list web-acl-24 address 10.0.7.10 port 3389

  nat destination list web-acl-28 address 10.0.0.244 port 3389

  nat destination list web-acl-29 address 10.0.188.231 port 5900

  nat destination list web-acl-33 address 10.0.85.170

  nat destination list web-acl-43 address 10.0.0.233

  nat destination list web-acl-45 address 10.0.0.37

!

!

!

ip route 0.0.0.0 0.0.0.0 XXX.XX.XXX.1

!

no ip tftp server

no ip tftp server overwrite

ip http authentication LoginUseLocalUsers

ip http server

ip http secure-server

no ip snmp agent

no ip ftp server

ip ftp server default-filesystem flash

no ip scp server

no ip sntp server

!

!

!

!

!

!

line con 0

  login authentication LoginUseLinePass

!

line telnet 0 4

  login authentication LoginUseLinePass

  password XXXXXX

  no shutdown

line ssh 0 4

  login authentication LoginUseLocalUsers

  no shutdown

!

!

!

!

!

0 Kudos
Reply
Highlighted
Contributor
Contributor

Re: How do I block a specific IP or subnet ?

Jump to solution

Your ACL's are correct.  I believe you need to simply apply the lists to "self" in the policy.  Applying "self" should "Discard packets permitted by ACL and destined for any local interface". 

ip policy-class Public

  discard list web-acl-39 self

  discard list web-acl-30 self

  discard list web-acl-37 self

  discard list web-acl-31 self

  allow reverse list VPN-10-vpn-selectors stateless

  nat destination list web-acl-19 address 10.0.0.40

  nat destination list web-acl-32 address 10.0.11.180

0 Kudos
Reply
Highlighted
New Contributor

Re: How do I block a specific IP or subnet ?

Jump to solution

Any chance you can tell me how to accomplish the same thing through the GUI web-interface?  I'm not very good with using (or even understanding) the CLI.  I do everything in the GUI. 

0 Kudos
Reply
Highlighted
Contributor
Contributor

Re: How do I block a specific IP or subnet ?

Jump to solution

Ok... What I think you need to do is go to Firewall -> Security Zones.  Under "Edit Security Zones", click on your Public policy.  Under the Configure policy screen, click on the name of the list you want to edit (should show as "discard list web-acl-39"... etc...).  In the next edit screen that comes up, change "Destination Security Zone" to "self bound".

Wash, rinse, and repeat for the other policies/lists you have setup.

0 Kudos
Reply
Highlighted
New Contributor

Re: How do I block a specific IP or subnet ?

Jump to solution

petersjncv, thanks for all the help so far.  Your information has been helpful, and allowed me to do some more testing, and I have learned some new things regarding this.  The problem is not completely solved yet, in part because my understanding of the problem was not exactly correct.

I did set the "Destination Security Zone" to "Self Bound", and it worked.  The IP was blocked.  However, switching it back to "Any Security Zone" also effectively block the remote IP.  (This is all in the "Advanced" policy).  So I went back, and set up just a simple "Filter" policy, and that as well worked (blocked the IP).  It appears that all the things I thought were not working when I made this post are, in fact, working correctly.

Digging into this further, from the remote IP, with it not being blocked, I open Internet Explorer and open a website that is internal to my network. Page comes up fine.

Next I add a normal "Filter" policy to my Public security zone.  From the remote IP, I can click links and continue to browse around the website on my internal network, appearing that the specified IP is NOT being blocked/filtered.

However, if at the remote IP I happen to click a link that opens a new browser window, then the connection is lost and IE says "can't display the page" and I find I can no longer get to the site through the NetVanta.

I have confirmed that this behavior is not due to browser cache or anything else on the client side. I've also confirmed that the behavior is the same whether I use a "filter" policy, or an "advanced" policy with destination set to "Any" or "self". 

Once IE makes a connection through the NetVanta, it appears to be able to keep that connection alive even though a filter is added in the NetVanta for that remote IP.

This also explains the reason I made the original post.  The person/script attempting to hack one of our sites was able to keep the connection alive, so even though I had created filters in various ways, they were able to maintain their connection through the firewall.

So my original question, had I known this, should have been something more like "How do I stop an active intrusion attempt from a remote IP at the time it's going on?".  Or maybe "How do I stop an active connection through my router?".  I don't know the right way to ask, but I hope this makes sense, it would be good to know how to do.

Thanks!

0 Kudos
Reply
Highlighted
Contributor
Contributor

Re: How do I block a specific IP or subnet ?

Jump to solution

That sounds more like an open connection issue.  When you create firewall rules or policies, the new rules do not affect connections that are already open through the firewall.  An open TCP connection on port 80 (http) would stay open until the connection itself times out (10 minutes by default on Adtran) or the connections are reset.  Thus when you click a link to open a new page, this creates a new connection that is blocked by the now in place rule but the open connection from the original page remains.

If you go to Security->Dashboard, you can see statistics for open connections.  You should be able to manually reset your open connections after you change a rule, but I don't see where to do it in the GUI.  I don't typically use the GUI but in the CLI you can issue "clear ip policy-sessions" and it will reset any connections open through the router.

View solution in original post

0 Kudos
Reply
Highlighted
New Contributor

Re: How do I block a specific IP or subnet ?

Jump to solution

Thank you! 

0 Kudos
Reply
Highlighted
New Contributor

Re: How do I block a specific IP or subnet ?

Jump to solution

If I create a firewall rule, can I just block certain IP's as well? Thru GUI or CLI?

0 Kudos
Reply