Restricting TCP Session Direction

Restricting TCP Session Direction

Problem

You want to filter TCP sessions so that only the client device may initiate the application.

Solution

You can use the established keyword to restrict which device is allowed to initiate the session. In the following example, we want to allow the client device to telnet to the server, but not the other way around:

Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#access-list 148 permit tcp any eq telnet any established
Router1(config)#access-list 148 deny ip any any
Router1(config)#interface FastEthernet0/0
Router1(config-if)#ip access-group 148 in
Router1(config-if)#exit
Router1(config)#end
Router1#

Discussion

In this example, the interface will accept incoming TCP packets only if they have a TCP source port number of 23 (Telnet), and only if this TCP session is already established. It does not restrict the destination port number, because this would be whatever random high-numbered port the initiating device had originally selected for its source port when it started the session.

The router considers an established TCP connection to be one that has either the RST or ACK bits set. We discuss these TCP header flags in more detail in Recipe 19.4. Because this does not include the SYN bit in particular, it is impossible to create a new TCP connection.

Note that you could actually write the same thing explicitly as two rules:

Router1(config)#access-list 148 permit tcp any eq telnet any ack
Router1(config)#access-list 148 permit tcp any eq telnet any rst

The combination of these two rules is identical to the version in the example:

Router1(config)#access-list 148 permit tcp any eq telnet any established

But the version with the established keyword executes more efficiently. Note that putting both RST and ACK in the same rule would match packets with both RST and ACK set, not one or the other.

To see why the established keyword is sometimes necessary, imagine what would happen if it were not present. The interface would accept any inbound TCP packets that happened to have a source port of 23. But this could be literally anything. A moderately clever hacker who knew how to set the source port on his Telnet application could easily initiate a connection to any device on the other side of the router.

So if you are using ACLs for to control TCP applications security reasons, you should consider using the established keyword.