Configure Filters for RTX1200 Router

These are the rules that I am using. You should review them and make any changes to suit you own network layout.

Static Filters

Reject inbound with these source addresses

These three items will prevent any packets covered by RFC1918. Applied to the the PP (wan) interface

ip filter 1000 reject 10.0.0.0/8 * * * *
ip filter 1001 reject 172.16.0.0/12 * * * *
ip filter 1002 reject 192.168.0.0/16 * * * *

Reject outbound with these destination addresses

ip filter 1010 reject * 10.0.0.0/8 * * *
ip filter 1011 reject * 172.16.0.0/12 * * *
ip filter 1012 reject * 192.168.0.0/16 * * *

Block telnet and ssh from outside

These two rules could be applied to the PP interface again on the inbound direction

ip filter 1013 reject * * tcp * telnet
ip filter 1014 reject * * tcp * 22

Protect ports

These are some standard ports which are known to create network security issues. There are probably more. These rules should be applied to the PP interface with direction in. They could also be applied to the same interface with direction out

ip filter 1020 reject * * udp,tcp 135 *
ip filter 1021 reject * * udp,tcp * 135
ip filter 1022 reject * * udp,tcp netbios_ns-netbios_ssn *
ip filter 1023 reject * * udp,tcp * netbios_ns-netbios_ssn
ip filter 1024 reject * * udp,tcp 445 *
ip filter 1025 reject * * udp,tcp * 445

permitted Traffic

I am at this time only use rules 3000 and 3001. 3000 allows ping and traceroute. While 3001 allows any in bound traffic that is created as part of an inital outbound packet.

ip filter 1030 pass * * ah,esp
ip filter 1031 pass * * udp 500 *
ip filter 1032 pass * * udp * 500
ip filter 3000 pass 192.168.0.0/16 icmp * *
ip filter 3001 pass * * established

Global rules

ip filter 4000 reject * * * *
ip filter 5000 pass * * * *

Dynamic Filters

Dynamic rules

These filter are applied to the pp in the out direction and allow packets to also come back into the network when initialised from within the routers network.

ip filter dynamic 100 * * ftp
ip filter dynamic 101 * * www
ip filter dynamic 102 * * domain
ip filter dynamic 103 * * smtp
ip filter dynamic 104 * * pop3
ip filter dynamic 105 * * tcp
ip filter dynamic 106 * * udp

Apply in bound filters for pp

pp select 1
# Apply inbound filters for pp
ip pp secure filter in 1000 1001 1002 1013 1014 1020 1021 1022 1023 1024 1025 3000 3001  
# Apply out bound filters for pp
ip pp secure filter out 1010 1011 1012 1020 1021 1022 1023 1024 1025 5000 dynamic 100 101 102 103 104 105 106

Port forwarding to internal

nat descriptor masquerade static 1000 1 192.168.xx.xx tcp 32400
nat descriptor masquerade static 1000 2 192.168.xx.xx tcp 80,443

References

At Network - Dynamic Filters
RTPro - Network Security Filter
SideTech - IP Filter

Configure Syslog for an RTX1200 Router

Router


Syslog Settings

Configure the router to send log messages to a remote server.

 syslog debug off
 syslog info off
 syslog notice on
 nat descriptor log on
 syslog host [XXX.XXX.XXX.XXX]
 syslog facility local4

The syslog facility is set to local4. We can configure these logs to be written to a custom log file.

Stop logging DNS lookups

ip filter dynamic [num] * * domain

Change the above line to

ip filter dynamic [num] * * domain syslog=off

Linux Server


I am running Debian / Buster with rsyslog.

Backup the old config file

cp /etc/rsyslog.conf /etc/rsyslog.cong.orig

Edit the config file

Uncomment the following lines

# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514
 
# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514

So they become

# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
 
# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514

Add local4 to config file

# RTX1200 Log
local4.*     /var/log/rtx1200.log

Restart rsyslog

 systemctl enable rsyslog
 systemctl restart rsyslog

Firewall

If you have a firewall between the router and the logging server. You will need to allow tcp and udp for on port 514

Rotating your new logs

Create a new file called /etc/lograte.d/rtx1200

Contents

/var/log/rtx1200.log {
    daily
    rotate 30
    compress
    ifempty
    dateext
    create
    postrotate
    # Old format
    # kill -HUP `cat /var/run/syslogd.pid
    # New Debian / Buster
    /usr/lib/rsyslog/rsyslog-rotate
    endscript
}

Checking and Testing

Check the output of the following two commands

 logrotate -d /etc/logrotate.d/rtx1200
 logrotate -f /etc/logrotate.d/rtx1200