Filtering Multiport Applications
Problem
You want to filter an application that uses more than one TCP or UDP port.
Solution
This example shows how to filter both FTP control and data sessions:
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#access-list 152 permit tcp any any eq ftp
Router1(config)#access-list 152 permit tcp any any eq ftp-data established
Router1(config)#interface FastEthernet0/0
Router1(config-if)#ip access-group 152 in
Router1(config-if)#exit
Router1(config)#end
Router1#
Discussion
Some protocols use multiple ports. A classic example is FTP, which is shown in the example. It is worthwhile reviewing how the FTP protocol works. For more details, please consult RFC 959.
When a client device wants to connect to a server to either upload or download files, it makes a TCP connection on port 21. This port 21 connection carries all of the interactive user traffic, such as usernames and passwords, as well as commands to move around to different directories. It also uses this control session to tell the server what port number it wants to use for transferring data. This will typically be a high-numbered temporary TCP port.
When the user then wants to transfer a file, he traditionally types a put or get command on the server. We say traditionally because this is not quite how things work when your FTP client software is driven through a web browser, as we discuss in Recipe 19.12.
The server then makes a new TCP connection to the high-numbered port on the client device that it previously learned about through the control session. The source port for this connection is the well known FTP data port number, 20. This is backwards from most TCP connections, by which the client device connects to the server using a well known destination port number. Here the server connects to the client by using a well known source port number.
The client and server exchange the file, and then disconnect this FTP data connection, leaving the FTP control connection on port 21 active. The server will actually use the FTP data connection to transfer any bulk data, including directory listings as well as files. This recipe shows how you can easily match both the control and data traffic streams using an ACL.
In this example, we will assume that the client device is connected to the router's FastEthernet0/0 interface, perhaps through other downstream routers. And, for the sake of the example, we will assume that this is the only data that we want to allow.
So the router will receive a TCP packet from client device as it initiates the FTP session with destination port 21. We match this connection with the following Extended IP ACL:
Router1(config)#access-list 152 permit tcp any any eq ftp
Note that we have used the keyword ftp in this ACL to mean TCP port 21.
Then, when there is data to exchange, the server will make a connection back to the client device on port number 20. The ACL keyword for this port is ftp-data:
Router1(config)#access-list 152 permit tcp any any eq ftp-data established
Now, it's important to note that the access group is applied inbound to packets received on the client Fast Ethernet port. So this ACL will not apply to any of the packets sent from the server to the client device, but only those sent from the client to the server. However, this is sufficient because the devices cannot establish a TCP session unless they can both send packets.
For a more generic multi-port TCP application, you can specify a range of ports in the ACL with the range keyword, as follows:
Router1(config)#access-list 153 permit tcp any any range 6000 6063
This example matches any packets whose destination port is between 6000 and 6063, inclusive, which is the range commonly used by the X Window system. You can also specify open-ended ranges. For example, to match any TCP port number greater than 1023, you can use the gt keyword:
Router1(config)#access-list 153 permit tcp any any gt 1023
And there are, similarly, "less than" and "not equal to" operators for port numbers:
Router1(config)#access-list 153 permit tcp any any lt 1024
Router1(config)#access-list 153 permit tcp any any neq 666
As an aside, TCP port number 666 is used by the Doom interactive network game, making it an excellent candidate for filtering.
These same operations also apply identically for UDP port numbers:
Router1(config)#access-list 154 permit udp any any range 6000 6063
Router1(config)#access-list 155 deny udp any any gt 1023
Router1(config)#access-list 156 permit udp any any lt 1024
Router1(config)#access-list 157 permit udp any any neq 666