Configure Filters for RTX1200 Router

 Posted on July 19, 2021  (Last modified on July 23, 2021)  |  3 minutes  |  517 words  |  Bas-Man

These are the rules that I am using. You should review them and make any changes to suit you own network layout.

Static Filters

Reject inbound with these source addresses

These three items will prevent any packets covered by RFC1918. Applied to the the PP (wan) interface

ip filter 1000 reject 10.0.0.0/8 * * * *
ip filter 1001 reject 172.16.0.0/12 * * * *
ip filter 1002 reject 192.168.0.0/16 * * * *

Reject outbound with these destination addresses

ip filter 1010 reject * 10.0.0.0/8 * * *
ip filter 1011 reject * 172.16.0.0/12 * * *
ip filter 1012 reject * 192.168.0.0/16 * * *

Block telnet and ssh from outside

These two rules could be applied to the PP interface again on the inbound direction

ip filter 1013 reject * * tcp * telnet
ip filter 1014 reject * * tcp * 22

Protect ports

These are some standard ports which are known to create network security issues. There are probably more. These rules should be applied to the PP interface with direction in. They could also be applied to the same interface with direction out

ip filter 1020 reject * * udp,tcp 135 *
ip filter 1021 reject * * udp,tcp * 135
ip filter 1022 reject * * udp,tcp netbios_ns-netbios_ssn *
ip filter 1023 reject * * udp,tcp * netbios_ns-netbios_ssn
ip filter 1024 reject * * udp,tcp 445 *
ip filter 1025 reject * * udp,tcp * 445

permitted Traffic

I am at this time only use rules 3000 and 3001. 3000 allows ping and traceroute. While 3001 allows any in bound traffic that is created as part of an inital outbound packet.

ip filter 1030 pass * * ah,esp
ip filter 1031 pass * * udp 500 *
ip filter 1032 pass * * udp * 500
ip filter 3000 pass 192.168.0.0/16 icmp * *
ip filter 3001 pass * * established

Global rules

ip filter 4000 reject * * * *
ip filter 5000 pass * * * *

Dynamic Filters

Dynamic rules

These filter are applied to the pp in the out direction and allow packets to also come back into the network when initialised from within the routers network.

ip filter dynamic 100 * * ftp
ip filter dynamic 101 * * www
ip filter dynamic 102 * * domain
ip filter dynamic 103 * * smtp
ip filter dynamic 104 * * pop3
ip filter dynamic 105 * * tcp
ip filter dynamic 106 * * udp

Apply in bound filters for pp

pp select 1
# Apply inbound filters for pp
ip pp secure filter in 1000 1001 1002 1013 1014 1020 1021 1022 1023 1024 1025 3000 3001  
# Apply out bound filters for pp
ip pp secure filter out 1010 1011 1012 1020 1021 1022 1023 1024 1025 5000 dynamic 100 101 102 103 104 105 106

Port forwarding to internal

nat descriptor masquerade static 1000 1 192.168.xx.xx tcp 32400
nat descriptor masquerade static 1000 2 192.168.xx.xx tcp 80,443

References

At Network - Dynamic Filters
RTPro - Network Security Filter
SideTech - IP Filter

rtx1200  filter  port forwarding  block traffic