Q10612 Configuring Access Control Lists on KlasRouter

KB article reference no. Q10612
Version: 1.0
Keywords: KlasRouter, Access Control Lists, Firewall, Internet

The information in this article applies to:
KlasRouter v2.0

Table of Contents

1.0 2.0 2.1 2.2 2.3 2.3.1 2.3.2 2.3.3

Introduction Configuration of KlasRouter Cable Connections Establishing a HyperTerminal Session Configuring ACLs Adding an ACL Editing an ACL Deleting an ACL

Table of Figures

Figure 1. Figure 2. Figure 3. Figure 4.

KlasRouter ACL Example Add an ACL Edit an ACL Delete an ACL

1.0 Introduction

Figure 1. KlasRouter ACL Example

This document describes how to configure Access Control Lists (ACLs) on KlasRouter.  An ACL is a method to control the traffic allowed to pass through an interface.  Each ACL is considered either “in” or “out” depending on which direction the controlled traffic is passing through the interface.  If the goal is to control traffic coming from another source with KlasRouter as its destination, the ACL is considered “in”.  If KlasRouter is the source of the traffic, the ACL is considered “out”.  In the example provided in Figure 1, the ACL is an “in” ACL and has been configured to deny all Telnet traffic from passing through the Ethernet WAN Interface on KlasRouter.  Figure 1 will be used throughout the rest of the application note for specific configuration examples.  The following sections outline the steps needed to configure an ACL with KlasRouter.

2.0 Configuration of KlasRouter

2.1 Cable Connections

Prior to beginning, ensure the following cable connections have been properly secured:

1. Power cord is plugged in and KlasRouter is on.
2. Control Port Cable is connected to the PCs serial port.
3. Control Port Cable is connected to the ‘Control’ port on the front of the KlasRouter.

2.2 Establishing a HyperTerminal Session

To configure the KlasRouter, you must establish a HyperTerminal Session between a PC and the KlasRouter. Follow the instructions in KlasRouter Application Note Q10601 to successfully establish a HyperTerminal Session and open the KlasRouter Main Configuration Menu.

2.3 Configuring ACLs

The following sections outline how to add, edit and delete an ACL.  Follow the steps below to successfully configure an ACL on KlasRouter.

2.3.1 Adding an ACL

1. Press ‘7’ on the KlasRouter Main Configuration Menu to enter the Advanced Configuration Menu.
2. Press ‘2’ on the Advanced Configuration Menu to enter the Access Control List Configuration Menu.
3. Enter ‘2’ on the Access Control List Configuration Menu to add an ACL.
4. Enter ‘in’ or ‘out’ depending on the direction of traffic you are filtering.  In the example from Figure 1, the ACL is ‘in’.  Figure 2, shown below, displays all steps necessary to add an ACL.
5. Enter ‘p’ if you want to permit a specific type of traffic or ‘d’ if you want to deny a specific type of traffic.  Since the ACL from Figure 1 denies Telnet traffic, enter ‘d’ to deny traffic.
6. Enter the interface code for the interface you want to apply the ACL filter on.  The ACL from Figure 1 uses the Ethernet WAN Interface so ‘ixp1’ is entered.  If you need a list of all available interfaces, press ‘?’ to view the entire list.
7. Enter the IP address and subnet mask of the source of the traffic you wish to filter.  The ACL from Figure 1 denies traffic from any source attempting to Telnet into KlasRouter.  Since a specific source IP address is not known, ‘0.0.0.0/0’ is entered.
8. Enter the IP address and subnet mask of the destination of the traffic you wish to filter.  The ACL from Figure 1 protects the entire Ethernet LAN from Telnet traffic.  Enter ‘192.168.1.0/24’, which is the IP address of the Ethernet LAN.
9. Enter the IP protocol you wish to filter.  For a list of commonly used protocols, enter ‘?’ to view the list.  You can enter any number from 0 to 255 and KlasRouter will filter that traffic, regardless of whether it is listed as an example.  The ACL from Figure 1 prevents Telnet traffic, which is a TCP application.  Enter ‘6’ in order to prevent TCP traffic.
10. If TCP or UDP is entered in Step 9, you must enter the source port you wish to filter.  For a list of commonly used ports, enter ‘?’ to view the list.  You can enter any number from 0 to 65535 and KlasRouter will filter traffic with that port number, regardless of whether it is listed as an example.  The ACL from Figure 1 prevents Telnet traffic, which is port 23.  Enter ‘23’ to filter Telnet traffic.
11. If TCP or UDP is entered in Step 9, you must also enter the destination port you wish to filter.  For a list of commonly used ports, enter ‘?’ to view the list.  You can enter any number from 0 to 65535 and KlasRouter will filter traffic with that port number, regardless of whether it is listed as an example.  The ACL from Figure 1 prevents Telnet traffic, which is port 23.  Enter ‘23’ to filter Telnet traffic.

Add ACL ------- Enter ACL direction(in | out | 'q' to quit)>in Enter ACL type(p - permit | d - deny | 'q' to quit)>d Enter Interface Name ('?' for help | 'q' to quit)>ixp1 Enter Source IP Address[/Mask] ('q' to quit)>it)>0.0.0.0/0 Enter Destination IP Address[/Mask] ('q' to quit)>192.168.1.0/24 Enter IP protocol ('?' for help |'q' to quit)>? Enter an IP protocol number between 0 and 255 or any of the following protocol names: ip (0) icmp (1) igmp (2) ggp (3) ipencap (4) st (5) tcp (6) egp (8) ... Enter IP protocol ('?' for help |'q' to quit)>6 Enter Source Port ('?' for help | 'q' to quit)>? Enter a TCP or UDP port number between 0 and 65535 or any of the following service names: tcpmux (1/tcp) echo (7/tcp) echo (7/udp) … ftp (21/tcp) fsp (21/udp) ssh (22/tcp) ssh (22/udp) telnet (23/tcp) … If you don't enter any port number the ACL will apply to all ports. Enter Source Port ('?' for help | 'q' to quit)>23 Enter Destination Port ('q' to quit)>23 Activating ACL ... OK. Press Enter to return to ACLs Configuration

Figure 2. Add an ACL

12. Press ‘Enter' to return to the Access Control List Configuration Menu.

2.3.2 Editing an ACL

1. Press ‘3’ on the Access Control List Configuration Menu to edit an ACL.
2. Enter the ACL Direction of the ACL you would like to edit.  The ACL from Figure 1 filters incoming traffic.  Enter ‘in’ to edit the Figure 1 ACL or enter ‘out’ to edit an outgoing ACL.
3. All ACLs of the direction entered in Step 2 are listed.  Enter the number of the ACL you would like to edit.  Enter ‘1’ to edit the ACL created in Section 2.3.1, as shown in Figure 3.

Edit ACL ---------- Enter ACL direction(in | out | 'q' to quit)>in Inbound Rules -------------                IP Address                       Port #  Type  Source     Destination      Source/Dest. Protocol Interface -------------------------------------------------------------------------------- 1  D     0.0.0.0/0  192.168.1.0/24   23     23    6        ixp1 Enter number of ACL to edit ('q' to quit)>1 ACL type: Deny Enter new ACL type(p - permit | d - deny | 'q' to quit)>d Using current type.

Figure 3. Edit an ACL

4. Press 'Enter' to return to the Access Control List Configuration Menu.

2.3.3 Deleting an ACL

1. Press ‘4’ on the Access Control List Configuration Menu to delete an ACL.
2. Enter the ACL Direction of the ACL you would like to delete.  The ACL from Figure 1 filters incoming traffic.  Enter ‘in’ to delete the Figure 1 ACL or enter ‘out’ to delete an outgoing ACL.
3. All ACLs of the direction entered in Step 2 are listed.  Enter the number of the ACL you would like to delete.  Enter ‘1’ to edit the ACL created in Section 2.3.1, as shown in Figure 3.

Delete ACL ---------- Enter ACL direction(in | out | 'q' to quit)>in Inbound Rules -------------                IP Address                       Port #  Type  Source     Destination      Source/Dest. Protocol Interface -------------------------------------------------------------------------------- 1  D     0.0.0.0/0  192.168.1.0/24   23     23    6        ixp1 Enter number of ACL to delete ('q' to quit)>1 Deleting ACL ... OK. Press Enter to return to ACLs Configuration

Figure 4. Delete an ACL

4. Press 'Enter' to return to the Access Control List Configuration Menu.

Copyright © 2006 Klas Ltd. All rights reserved. All company and brand names are trademarks or registered trademarks of their respective owners. DISCLAIMER OF WARRANTY: THE DOCUMENT IS PROVIDED AS IS, WITHOUT WARRANTY OF ANY KIND. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, WITH RESPECT TO THE DOCUMENT AND / OR ANY ASSOCIATED ON-LINE INFORMATION, KLAS DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDED BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE, AND NONINFRINGEMENT.

Home | About | News | Products | Support | Distributors | Contact