Under Construction
Console
Set Terminal to ASCII
> admin
# console character ascii
If you are starting from scratch.
Configure Filters for RTX1200 Router
These are the rules that I am using. You should review them and make any changes to suit you own network layout.
Static Filters
Reject inbound with these source addresses
These three items will prevent any packets covered by RFC1918. Applied to the the PP (wan) interface
ip filter 1000 reject 10.0.0.0/8 * * * *
ip filter 1001 reject 172.16.0.0/12 * * * *
ip filter 1002 reject 192.168.0.0/16 * * * *
Reject outbound with these destination addresses
ip filter 1010 reject * 10.0.0.0/8 * * *
ip filter 1011 reject * 172.16.0.0/12 * * *
ip filter 1012 reject * 192.168.0.0/16 * * *
Block telnet and ssh from outside
These two rules could be applied to the PP interface again on the inbound direction
ip filter 1013 reject * * tcp * telnet
ip filter 1014 reject * * tcp * 22
Protect ports
These are some standard ports which are known to create network security issues. There are probably more. These rules should be applied to the PP interface with direction in. They could also be applied to the same interface with direction out
ip filter 1020 reject * * udp,tcp 135 *
ip filter 1021 reject * * udp,tcp * 135
ip filter 1022 reject * * udp,tcp netbios_ns-netbios_ssn *
ip filter 1023 reject * * udp,tcp * netbios_ns-netbios_ssn
ip filter 1024 reject * * udp,tcp 445 *
ip filter 1025 reject * * udp,tcp * 445
permitted Traffic
I am at this time only use rules 3000 and 3001. 3000 allows ping and traceroute. While 3001 allows any in bound traffic that is created as part of an inital outbound packet.
ip filter 1030 pass * * ah,esp
ip filter 1031 pass * * udp 500 *
ip filter 1032 pass * * udp * 500
ip filter 3000 pass 192.168.0.0/16 icmp * *
ip filter 3001 pass * * established
Global rules
ip filter 4000 reject * * * *
ip filter 5000 pass * * * *
Dynamic Filters
Dynamic rules
These filter are applied to the pp in the out direction and allow packets to also come back into the network when initialised from within the routers network.
ip filter dynamic 100 * * ftp
ip filter dynamic 101 * * www
ip filter dynamic 102 * * domain
ip filter dynamic 103 * * smtp
ip filter dynamic 104 * * pop3
ip filter dynamic 105 * * tcp
ip filter dynamic 106 * * udp
Apply in bound filters for pp
pp select 1
# Apply inbound filters for pp
ip pp secure filter in 1000 1001 1002 1013 1014 1020 1021 1022 1023 1024 1025 3000 3001
# Apply out bound filters for pp
ip pp secure filter out 1010 1011 1012 1020 1021 1022 1023 1024 1025 5000 dynamic 100 101 102 103 104 105 106
Port forwarding to internal
nat descriptor masquerade static 1000 1 192.168.xx.xx tcp 32400
nat descriptor masquerade static 1000 2 192.168.xx.xx tcp 80,443
References
At Network - Dynamic Filters
RTPro - Network Security Filter
SideTech - IP Filter
Configure DHCP service on an RTX1200 Router
Dynamic Address Allocation
dhcp service server
dhcp server rfc2131 compliant except remain-silent
dhcp scope 1 192.168.100.2-192.168.100.191/24
Specify Gateway and Exception
dhcp scope 1 192.168.100.2-192.168.100.191/24 except 192.168.100.10 gateway 192.168.100.1
- Here the
192.168.100.10address will not be assigned to any dhcp client.
Specify clients DNS Servers
dhcp scope option 1 dns=192.168.100.1,8.8.8.8,1.1.1.1
Static MAC Address Assignment
dhcp scope bind 1 192.168.100.100 ethernet [MAC Address]
dhcp scope bind 1 192.168.100.101 ethernet [MAC Address]
Configure PPPOE
Configure your PPPOE
Under Construction
pp select 1
pp always-on on
pppoe use lan3
pp auth accept pap chap
pp auth myname USERNAME PASSWORD
ppp lcp mru on 1454
ppp ipcp ipaddress on
ppp ipcp msext on
ip pp mtu 1454
ip pp intrusion detection in on reject=on
ip pp nat descriptor 1000
pp enable 1
NAT
nat descriptor type 1000 nat-masquerade
Configure Syslog for an RTX1200 Router
Router
Syslog Settings
Configure the router to send log messages to a remote server.
syslog debug off
syslog info off
syslog notice on
nat descriptor log on
syslog host [XXX.XXX.XXX.XXX]
syslog facility local4
The syslog facility is set to local4. We can configure these logs to be written to a custom log file.
Stop logging DNS lookups
ip filter dynamic [num] * * domain
Change the above line to
ip filter dynamic [num] * * domain syslog=off
Linux Server
I am running Debian / Buster with rsyslog.
Backup the old config file
cp /etc/rsyslog.conf /etc/rsyslog.cong.orig
Edit the config file
Uncomment the following lines
# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514
# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514
So they become
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514
Add local4 to config file
# RTX1200 Log
local4.* /var/log/rtx1200.log
Restart rsyslog
systemctl enable rsyslog
systemctl restart rsyslog
Firewall
If you have a firewall between the router and the logging server. You will need to allow tcp and udp for on port 514
Rotating your new logs
Create a new file called /etc/lograte.d/rtx1200
Contents
/var/log/rtx1200.log {
daily
rotate 30
compress
ifempty
dateext
create
postrotate
# Old format
# kill -HUP `cat /var/run/syslogd.pid
# New Debian / Buster
/usr/lib/rsyslog/rsyslog-rotate
endscript
}
Checking and Testing
Check the output of the following two commands
logrotate -d /etc/logrotate.d/rtx1200
logrotate -f /etc/logrotate.d/rtx1200