Wednesday 14 December 2011

Block P2P Traffic on a Cisco IOS Router using NBAR

In the following example, we'll use NBAR to block P2P traffic on our router's Gigabit interface.
  • Create a class-map to match the protocols to be blocked.
  • Create a policy-map to specify what should be done with the traffic.
  • Apply the policy to the user-facing (incoming) interface.
conf t
!--- IP CEF should be enabled at first to block P2P traffic.
!--- P2P traffic cannot be blocked when IPC CEF is disabled.
ip cef
!
!--- Configure the class map named p2p to match the P2P protocols
!--- to be blocked with this class map p2p.
class-map match-any p2p
!--- Mention the P2P protocols to be blocked in order to block the
!--- P2P traffic flow between the required networks. edonkey,
!--- fasttrack, gnutella, kazaa2, skype are some of the P2P
!--- protocols used for P2P traffic flow. This example
!--- blocks these protocols.
!
match protocol edonkey
match protocol fasttrack
match protocol gnutella
match protocol kazaa2
match protocol winmx
match protocol skype
!
!
!--- Here the policy map named SDM-QoS-Policy is created, and the
!--- configured class map p2p is attached to this policy map.
!--- Drop is the command to block the P2P traffic.
!
policy-map SDM-QoS-Policy
class p2p
drop
!
!--- Use the inferface where you wich to block the P2P traffic
interface GigabitEthernet 0/1
!
!--- The command ip nbar protocol-discovery enables NBAR
!--- protocol discovery on this interface where the QoS
!--- policy configured is being used.
ip nbar protocol-discovery
!
!--- Use the service-policy command to attach a policy map to
!--- an input interface so that the interface uses this policy map.
service-policy input SDM-QoS-Policy
!
end
!
!--- Save the current configuration
wr
And that's it.
You can ensure the policy is working with the command:
show policy-map
However if your version of IOS is older than 12.2(13)T, you will need some extra steps. This process relies on setting the DSCP field in the incoming packets, and then dropping those packets on the outbound interface. In the following example, we'll block P2P using the DSCP field.
  • Create a class-map to match the protocols to be blocked.
  • Create a policy-map to specify what should be done with the traffic.
  • Create an access-list to block packets with the DSCP field set to 1.
  • Apply the policy to the user-facing (incoming) interface.
  • Apply the blocking access-list to the outbound interface.
conf t
!--- IP CEF should be enabled at first to block P2P traffic.
!--- P2P traffic cannot be blocked when IPC CEF is disabled.
ip cef
!
!--- Configure the class map named p2p to match the P2P protocols
!--- to be blocked with this class map p2p.
!
class-map match-any P2P
match protocol edonkey
match protocol fasttrack
match protocol gnutella
match protocol kazaa2
match protocol winmx
match protocol skype
!
!
policy-map P2P
class P2P
set ip dscp 1
!
!--- Block all traffic with the DSCP field set to 1.
!
access-list 100 deny ip any any dscp 1
access-list 100 permit ip any any
!
interface GigabitEthernet0/1
service-policy input P2P
!
interface POS1/1
ip access-group 100 out


Possibly Related Posts

Installing DNS Master and Slave Servers

Install bind:
apt-get install bind9
Configure The Master

First we need to stop bind9:
/etc/init.d/bind9 stop
edit the /etc/bind/named.conf.options file so it looks something like this (use the forwarders of your liking):
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
dnssec-enable yes;
query-source address * port 53;
allow-query { any; };
forwarders {
8.8.8.8;
208.67.222.222;
208.67.220.220;
};
auth-nxdomain no; # conform to RFC1035
//listen-on-v6 { any; };
};
Add the ip of this newly installed DNS server (the localhost) to your /etc/resolv.conf to use it:
echo "search linux.lan" > /etc/resolv.conf
echo "nameserver 127.0.0.1" >> /etc/resolv.conf
Now restart bind9:
/etc/init.d/bind9 start
And test !
ping www.google.com
If you get a reply, then your DNS master server is working and ready to use. We will now fill and use the linux.lan domain with our new master server.

Setting up the linux.lan domain

The master DNS server is currently just forwarding requests to the server(s) you have configured in the options file. So, we will now install and configure our own domain and let our new server handle all request regarding that domain.
Lets start with creating the directory where we will store the zone file. This file contains all info about the domain.
mkdir /etc/bind/zones/
Next we will create the zones file, /etc/bind/zones/master_linux.lan, something like this:
$TTL 3D
@ IN SOA ns1.linux.lan. hostmaster.linux.lan. (
199802151 ; serial, todays date + todays serial #
8H ; refresh, seconds
2H ; retry, seconds
4W ; expire, seconds
1D ) ; minimum, seconds
;
TXT "Linux.LAN, serving YOUR domain :)"
NS ns1 ; Inet Address of name server
NS ns2
MX 10 mail ; Primary Mail Exchanger
localhost A 127.0.0.1
ns1 A 192.168.254.1
ns2 A 192.168.254.2
www CNAME ns1
Here we have created a simple zone file with both nameservers and a www alias for ns1. Just in case we have a running apache on ns1 ;)

Now edit /etc/bind/named.conf.local and add:
zone "linux.lan" {
type master;
file "/etc/bind/zones/master_linux.lan";
};
This is it, we can now restart bind and check if it works:
/etc/init.d/bind9 restart
And test if it's working:
ping ns1.linux.lan
At this stage you should have a working and usable DNS server.
If it says it cannot find the domain, maybe dhclient has changed your nameserver entry... You should check that.

Installing The Slave
Basically, the slave uses the same basic system as we constructed in the first part (just before we added the zone file). We will add some little changes to both master and slave to make them work together. The zones file will be transfered over the net using encryption.
Unless else stated, these commands are for the slave ONLY.

Create the zones dir:
mkdir /etc/bind/zones
For both master AND slave edit /etc/bind/named.conf.options and make sure you have:
dnssec-enable yes;
Now we need a secure key. This will generate a .private and a .key file. The 'key=' line in the .private file represents the hashkey:
dnssec-keygen -a hmac-md5 -b 128 -n host linux.lan
Add this in your /etc/bind/named.conf on master AND slave:
key "TRANSFER" {
algorithm hmac-md5;
secret "---HASHKEY---";
};
On the master add the slave ip to /etc/bind/named.conf:
server 192.168.254.2 {
keys {
TRANSFER;
};
};
And on the slave we add the master ip to /etc/bind/named.conf:
server 192.168.254.1 {
keys {
TRANSFER;
};
};
Add to /etc/bind/named.conf.local:
zone "linux.lan" {
type slave;
file "/etc/bind/zones/slave_linux.lan";
masters { 192.168.254.1; };
allow-notify { 192.168.254.1; };
};
Finally we need to, on BOTH hosts, add this to /etc/bind/named.conf:
include "/etc/bind/rndc.key";
In order to have a succesfull zone transfer both systems need to have a synchronised clock, so:
apt-get -y install ntpdate

Restart bind on both machines and notice the new zone file on the slave.
If you're wondering why _updates_ to the zonefile on your master seem to fail, check the expire etc. settings inside the zonefile.

NOTE: if you get an error on syslog saying "bind dumping master file (...) permission denied ubuntu" check the /etc/apparmor.d/usr.sbin.named file and change the line:
/etc/bind/** r,
into:
/etc/bind/** rw,


Possibly Related Posts