TACACS+ Cisco centralized authentication server

Disclaimer:

My humble request, Kindly donot consider me as an expert on this stuff, I am NOT certified in anything Mikrotik/Cisco/Linux or Windows. However I have worked with some core networks and I read , research & try stuff all of the time. When you are enslaved by private job & working as one man army, you have to perform many task in which you are not formally trained for. So I am not speaking/posting about stuff I am formerly trained in, I pretty much go with experience and what I have learned on my own. And , If I don’t know something then I read & learn all about it.

So , please don’t hold me/my-postings to be always 100 percent correct. I make mistakes just like everybody else. However – I do my best, learn from my mistakes and try to help others

---

TACACS+

Terminal Access Controller Access-Control System (TACACS, usually pronounced like tack-axe) refers to a authentication / authorization related services for cisco switches/routers/firewalls access control through a centralized server. With the help of Tacacs+ you can set up a much more granular level access for the users, groups, subnets or device type etc. Example which user can issue which commands on switches etc.

 

 

Hardware Software Components used in this guide:

In this post I have used

• Ubuntu 18 server edition for TACACS+ deployment / IP: 101.11.11.254
• Cisco WS-C3850-24T switch / IOS Version 16.3.9 [Denali]

---

Quick Notes:

TACACS Server installation

apt-get -y install tacacs+

Once the installation is done , we will modify or add the tacacs+ server default config file to to suite our needs. On default installation, the configuration file is found here /etc/tacacs+/tac_plus.conf

nano /etc/tacacs+/tac_plus.conf

Remove existing configuration, and use below sample config, make sure to change the KEY, id pass as required

# Key is like password or shared secret, make sure to make it strong

key = testing123
accounting file = /var/log/tacplus.log
#default authentication = file /etc/passwd
group = admins {
default service = permit
service = exec {
priv-lvl = 15
}
}

# For support group, we are allowing only specific sets of CMD only
group = support {
default service = deny
service = shell {
priv-lvl = 15
}
cmd = show {
permit version.*
permit clock.*
permit interface.*
permit running-config.*
permit logging.*
}
cmd = configure {
permit .*
}
cmd = interface {
permit .*
}
cmd = vlan {
permit .*
}
cmd = switchport {
permit .*
}
cmd = write {
permit .*
}
}

#Create local user here
user = admin {
login = cleartext admin123
name = "Admin Group"
member = admins
}
user = support {
login = cleartext support123
name = "Network Support"
member = support
}<span style="color:var(--color-text);">

 

& if all configuration is OK , you should get something like below …

 * Checking TACACS+ authentication daemon configuration files successful tacacs+

Restart tacacs+ service

/etc/init.d/tacacs_plus restart

Next up we will make changes to the Cisco switch ,
in this example am using a Cisco switch WS-C3850-24T and the one working configuration look like this:

Note: This is just basic example. It may be not well tuned insecure too but for test it will work fine.

---

Switch configuration

enable
conf t

aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default enable
aaa authorization config-commands
aaa authorization commands 1 support group tacacs+ local
aaa authorization commands 15 admins group tacacs+ local
aaa accounting commands 1 support-act1 start-stop group tacacs+
aaa accounting commands 15 admins-act15 start-stop group tacacs+
login on-success log

# change tacacs IP address / KEY as per your local network
tacacs-server host 101.11.11.254
tacacs-server key 0 testing123

!
line con 0
exec-timeout 35791 0
privilege level 15
stopbits 1
line aux 0
no exec
stopbits 1
line vty 0 3
privilege level 15
authorization commands 1 support
authorization commands 15 admins
accounting commands 1 support-act1
accounting commands 15 admins-act15
length 0
transport input ssh
line vty 4
exec-timeout 35791 0
privilege level 15
authorization commands 1 support
authorization commands 15 admins
length 0
transport input ssh
line vty 5 15
length 0
!

do wr

Done.

Now try to login to switch with support account & execute try to permitted / non-permitted commands.

Result for SUPPORT ACCOUNT

login as: support
Using keyboard-interactive authentication.
Password:

spare-sw#ping 101.11.11.254
Command authorization failed.

spare-sw#show clock
*10:24:07.527 UTC Mon Dec 16 2019

spare-sw#sh inter
spare-sw#sh interfaces status

Port Name Status Vlan Duplex Speed Type
Gi1/0/1 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/2 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/3 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/4 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/5 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/6 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/7 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/8 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/9 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/10 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/11 notconnect 1 auto auto 10/100/1000BaseTX

spare-sw#

 

---

---

Regard’s
Syed Jahanzaib

24.913339 67.003666

Mikrotik – Packet Chain Topology

 

---

Firewall Mangle

Firewall mangle is used to mark IP packet. These marks are used by other router facilities like routing, firewall filter and bandwidth management to identified the packets. Moreover it also used to modify some fields in the IP header, like TOS (DSCP) and TTL fields. There are 5 default chain in firewall mangle.

INPUT

Packet that come into router will check with input chain. It is used to process packets entering the router. For example If we want to filter packet that telnet or ssh to router we need to use input chain in firewall filter.– Used to process packets entering the router through one of the interfaces with the destination IP address which is one of the router addresses. Chain input is useful for limiting the configuration access to Mikrotik Router.
or
– The connection that occurs from local to router and ends in router
example: use of the internal proxy (internal proxy right in the router)

PREROUTING

Prerouting is looked at before the router makes a routing decision. It’s happen before input chain. The packet that forward passthrough the router will match prerouting first.Pre-routing means that the connection will enter the router (no matter from where / depends on the settings mangle in interface later) . this connection will be in the process inside the router, can the process of bending to the external proxy, can filtering port, can anything, anyway there is a process, prerouting it marks the connection before the process occurs.

FORWARD

After prerouting, packet that passthrough router will process by forward chain. Used to process packets passing through the router. Example we want to block users to open facebook. We will use firewall forward chain to do it.– Used to process data packets through routers, connections that occur from the public to local
or
– The connection that occurs from local to public
with the provision that there is no process inside the router, it means that the connection is direct and only passing in the router does not happen a process inside the router.

POSTROUTING

Postrouting is a connection that will exit the router after a process occurs inside the router. It’s happen after forward. Postrouting is looked at after the router makes a routing decision.

OUTPUT

OUTPUT is used to process packets that originated from the router. Normally we rarely use this chain. Example we ping from router to Internet that’s output traffic.

or to process data packets originating from the router and left through one of the interfaces, connections that occur from the router to the public. It is used to process packets that originated from the router

============================================================================

Firewall Filter

Most of the time we use it for filter traffic simply say to protect our network from unauthorized user or bad guy. There are three default chain in firewall filter. It’s input, output and forward.

 

Does it matter where you mark?

Yes, because sometimes you might overmark and sometimes you might undermark. Choose the right place for the right classification/marking

 

Conn/PKT markign TIPS from fewi Mikrotik Expert:

Connection marks are based on the connection tracking facility. That is mandatory for doing any NAT, so if you do NAT you get connection marks for free.

If you have a complicated way of assigning connection marks (you check a lot of parameters, such as protocol, source address, destination port, TTL and time of day) then it’s best to do that once, and above that rule mark packets based on connection mark (based on just one comparison – the connection mark – and hence much cheaper than checking lots of parameters) and setting passthrough to ‘no’. Alternatively, you could add additional parameters on the rule that sets the connection mark and either check for ‘connection-mark=no-mark’ (this connection hasn’t been marked before) or ‘connection-state=new’ (this is a new connection and couldn’t have a mark) so that not each packet is checked against the expensive rule as well – after all you might just as well just mark the packet directly in that case.

Overall, though, unless you’re hitting over 50% CPU utilization at all times and are worried about router performance it is probably best not to optimize your mangle/filter rulesets for performance. You should rather write them in a way that makes sense to you and is easy to understand and troubleshoot so that you can take care of issues quickly when they arise. Who cares if your router is running at 20% utilization but could be running at 10%? But people do care when it takes 2 hours to figure out what’s wrong rather than the 10 minutes it might if you immediately could see what was going on.

 

 

Short notes for UNBOUND Caching DNS Server under Ubuntu 18

On a Lighter Note ! To summon it Up in single image !

 

 

---

Customized Panel To manage DNS Configuration via WEBMIN ! (SJZ)

---

Unbound is a secure DNS resolver. It can be a caching resolver, a recursive resolver, and both, suitable for offices/ISP’s.  It is designed to be fast and lean and incorporates modern features based on open standards..

---

Installation of UNBOUND dns server for local network is fairly simple but I encountered some hurdles setting it up with Ubuntu 18 therefore I took notes on how I resolved it in this post for reference purposes. I am more comfrotable setting it up on Ubuntu 16!

After fresh installation of Ubuntu, It’s a good idea to keep your system TIME with any NTP source.

apt-get -y install ntp ntpdate
# Change timezone as per your local
cp /usr/share/zoneinfo/Asia/Karachi /etc/localtime
sudo /etc/init.d/ntp restart

---

Install UNBOUND DNS Server on Ubuntu

Step #1

apt-get install -y unbound

---

If you are using Ubuntu 18 or later, you may read this ,else skip this section#2

Step # 2

#Additional notes for Ubuntu 18 version only

The problem with Ubuntu 18.04 is the systemd-resolved service which is listening on port 53 and therefore conflicts with unbound service

Edit the file /etc/systemd/resolved.conf

nano /etc/systemd/resolved.conf 

& modify this

DNSStubListener=no

Now reboot

shutdown -r now

You can now confirm if 53 port is now free up

netstat -tulpn | grep :53

Some housekeeping stuff for Ubuntu 18 & +

sudo service systemd-resolved stop
sudo rm -f /etc/resolv.conf
sudo ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf
sudo service systemd-resolved start

Step#4

Edit the existing UNBOUND configuration file for customization…

nano /etc/unbound/unbound.conf

---

Example of unbound.conf

# Unbound configuration file for Debian.
server:
# Use the root servers key for DNSSEC
#auto-trust-anchor-file: "/var/lib/unbound/root.key"
# Enable logs
chroot: ""
#verbosity (log level from 0 to 4, 4 is debug)
#verbosity: 1
#logfile: /var/log/unbound/unbound.log
#log-queries: yes
#use-syslog: (do not write logs in syslog file in ubuntu /var/log/syslog -zaib)
use-syslog: no
#interface (interfaces on which Unbound will be launched and requests will be listened to)
# Respond to DNS requests on all interfaces
interface: 0.0.0.0
# DNS request port, IP and protocol
port: 53
do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes

# Authorized IPs to access the DNS Server / access-control (determines whose requests are allowed to be processed)
# if you want to allow all ip pools, uncomment following (make sure you have good firewall for it)
# access-control: 0.0.0.0/0 allow
access-control: 127.0.0.0/8 allow
access-control: 10.0.0.0/8 allow
access-control: 172.16.0.0/16 allow
access-control: 192.168.0.0/16 allow
access-control: 101.0.0.0/8 allow

# Root servers information (To download here: ftp://ftp.internic.net/domain/named.cache)
#root-hints: "/var/lib/unbound/root.hints"

# Hide DNS Server info
hide-identity: yes
hide-version: yes

# Improve the security of your DNS Server (Limit DNS Fraud and use DNSSEC)
harden-glue: yes
harden-dnssec-stripped: yes

# Rewrite URLs written in CAPS
use-caps-for-id: yes

# PERFORMANCE RELATED TUNING - USE IT WITH CARE - TTL Min (Seconds, I set it to 7 days)
cache-min-ttl: 604800
# PERFORMANCE RELATED TUNING - USE IT WITH CARE - TTL Max (Seconds, I set it to 14 days)
cache-max-ttl: 1209600
# Enable the prefetch
prefetch: yes

# Number of maximum threads CORES to use / zaib
# Set num-threads equal to the number of CPU cores on the system.
# Try NOT to use all available cores, example if you have 6 cores, try starting with 3/4
num-threads: 4

### Tweaks and optimizations
# Number of slabs to use (Must be a multiple of num-threads (cpu cores) value)
# Set below *-slabs options, value of num-threads x 2. Example 4 cpu x 2 = 8
msg-cache-slabs: 8
rrset-cache-slabs: 8
infra-cache-slabs: 8
key-cache-slabs: 8
# Cache and buffer size (in mb)
#Increase the memory size of the cache. Use roughly twice as much rrset cache memory as 
#you use msg cache memory. For example, rrset-cache-size: 100m / msg-cache-size: 50m
#Due to malloc overhead, the total memory usage is likely to rise to double (or 2.5x) the total cache memory that is entered into the config.
rrset-cache-size: 100m
msg-cache-size: 50m
so-rcvbuf: 10m

# Make sure your DNS Server treat your local network requests
#private-address: 101.0.0.0/8

# Add an unwanted reply threshold to clean the cache and avoid when possible a DNS Poisoning
unwanted-reply-threshold: 10000

# Authorize or not the localhost requests
do-not-query-localhost: no

# Use the root.key file for DNSSEC
#auto-trust-anchor-file: "/var/lib/unbound/root.key"
val-clean-additional: yes
# Older version of unbound doesnt support *.conf, use specific filename instead. [zaib]
# This line caused me much issue therefore I hardcoded file name instead of *.conf
include: "/etc/unbound/unbound.conf.d/*.conf"

---

Example of /etc/unbound/myrecords.conf

You can use this file to add your custom DNS records

Create new file at (Make sure to include it in unbound.conf file (include: paramter)

nano /etc/unbound/unbound.conf.d/myrecords.conf

Now adding an ‘A’ Record

Assuming we want to add an A record for ‘zaib.com’ which has an IP of 1.2.3.4

local-data: "zaib.com A 1.2.3.4"

Adding a PTR Record

A PTR record (sometimes known as a reverse DNS record) allows you to request the hostname used by an IP (i.e. rather than running a DNS query for zaib.com, you’re asking for the hostname of the machine at 1.2.3.4)

   local-data-ptr: "1.2.3.4 zaib.com"

Every time you make any changes to Unbound Config, make sure to restart or reload the configuration

unbound-control reload 

Test if UNBOUND service is started successfully.

unbound-control status

OR

service unbound status

Result:

â unbound.service - Unbound DNS server
Loaded: loaded (/lib/systemd/system/unbound.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2019-12-10 12:28:59 PKT; 2s ago
Docs: man:unbound(8)
Process: 1588 ExecStartPre=/usr/lib/unbound/package-helper root_trust_anchor_update (code=exited, status=0/SUCCESS)
Process: 1576 ExecStartPre=/usr/lib/unbound/package-helper chroot_setup (code=exited, status=0/SUCCESS)
Main PID: 1610 (unbound)
Tasks: 4 (limit: 2290)
CGroup: /system.slice/unbound.service
ââ1610 /usr/sbin/unbound -d

Dec 10 12:28:58 u18 systemd[1]: Starting Unbound DNS server...
Dec 10 12:28:59 u18 package-helper[1588]: /var/lib/unbound/root.key has content
Dec 10 12:28:59 u18 package-helper[1588]: success: the anchor is ok
Dec 10 12:28:59 u18 unbound[1610]: [1575962939] unbound[1610:0] warning: so-rcvbuf 1048576 was not granted. Got 425984. To fix: start with root permissions(linux) or sysctl bigger net.core.rmem_max
Dec 10 12:28:59 u18 unbound[1610]: [1575962939] unbound[1610:0] notice: init module 0: subnet
Dec 10 12:28:59 u18 unbound[1610]: [1575962939] unbound[1610:0] notice: init module 1: validator
Dec 10 12:28:59 u18 unbound[1610]: [1575962939] unbound[1610:0] notice: init module 2: iterator
Dec 10 12:28:59 u18 unbound[1610]: [1575962939] unbound[1610:0] info: start of service (unbound 1.6.7).
Dec 10 12:28:59 u18 systemd[1]: Started Unbound DNS server.

---

Testing DNS service

Test if DNS server is responding to DNS queries

dig @127.0.0.1 bbc.com

1st Result: [check the Query time]

;  DiG 9.11.3-1ubuntu1.11-Ubuntu  @127.0.0.1 bbc.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; HEADE;- opcode: QUERY, status: NOERROR, id: 16313
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;bbc.com. IN A

;; ANSWER SECTION:
bbc.com. 86400 IN A 151.101.192.81
bbc.com. 86400 IN A 151.101.128.81
bbc.com. 86400 IN A 151.101.0.81
bbc.com. 86400 IN A 151.101.64.81

;; Query time: 971 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Dec 10 07:04:21 UTC 2019
;; MSG SIZE rcvd: 100

2nd Result: [check the Query time, it will be much less or zero because it will be added in the unbound dns cache]

root@u18:/etc/unbound/unbound.conf.d# dig @127.0.0.1 bbc.com

;  DiG 9.11.3-1ubuntu1.11-Ubuntu  @127.0.0.1 bbc.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; HEADER&- opcode: QUERY, status: NOERROR, id: 14171
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;bbc.com. IN A

;; ANSWER SECTION:
bbc.com. 86398 IN A 151.101.192.81
bbc.com. 86398 IN A 151.101.128.81
bbc.com. 86398 IN A 151.101.0.81
bbc.com. 86398 IN A 151.101.64.81

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Dec 10 07:04:23 UTC 2019
;; MSG SIZE rcvd: 100

See the difference between 1st & second response which shows that cache is working

 

---

Enabling LOG File [*recommended for troubleshoot purposes only*]

Create a Log file and assign rights to write logs:

mkdir /var/log/unbound
touch /var/log/unbound/unbound.log
chmod -R 777  /var/log/unbound/

Now enable it in the unbound config file & reload/restart UNBOUND service . I have commented it in the configuration file.

An example of viewing logs:

sudo tail -f /var/log/unbound/unbound.log
sudo tail -f /var/log/syslog

UNBOUND.LOG

[1575963664] unbound[1962:3] info: 101.11.11.161 bbc.com.agp1. A IN
[1575963664] unbound[1962:3] info: resolving bbc.com.agp1. A IN
[1575963664] unbound[1962:3] info: response for bbc.com.agp1. A IN
[1575963664] unbound[1962:3] info: reply from  193.0.14.129#53
[1575963664] unbound[1962:3] info: query response was NXDOMAIN ANSWER
[1575963664] unbound[1962:3] info: validate(nxdomain): sec_status_secure
[1575963664] unbound[1962:3] info: validation success bbc.com.agp1. A IN
[1575963664] unbound[1962:3] info: 101.11.11.161 bbc.com.agp1. AAAA IN
[1575963664] unbound[1962:3] info: resolving bbc.com.agp1. AAAA IN
[1575963664] unbound[1962:3] info: response for bbc.com.agp1. AAAA IN
[1575963664] unbound[1962:3] info: reply from  199.7.83.42#53
[1575963664] unbound[1962:3] info: query response was NXDOMAIN ANSWER
[1575963664] unbound[1962:3] info: validate(nxdomain): sec_status_secure
[1575963664] unbound[1962:3] info: validation success bbc.com.agp1. AAAA IN
[1575963664] unbound[1962:1] info: 101.11.11.161 bbc.com. A IN
[1575963664] unbound[1962:1] info: resolving bbc.com. A IN
[1575963664] unbound[1962:1] info: resolving bbc.com. DS IN
[1575963664] unbound[1962:1] info: NSEC3s for the referral proved no DS.
[1575963664] unbound[1962:1] info: Verified that unsigned response is INSECURE
[1575963672] unbound[1962:0] info: 101.11.11.161 bbc.com. AAAA IN

# Example of cache export and import:

unbound-control dump_cache > backup
unbound-control load_cache > backup

# Clear one site from cache

unbound-control flush_zone google.com

# View cached DNS contents or count

[sourceocde]unbound-control stats[/sourceocde]

# Count Cache entries

unbound-control dump_cache | wc -l

# Clear DNS Cache

unbound-control flush_zone .

Start UNBOUND in DEBUG mode

unbound -d -vvvv

Query Different DNS server for particular domains

If we want to query particular DNS servers for particular domains, use the forwarders as per below

# Query bbc.com from 1.1.1.1 dns server
forward-zone:
name: "bbc.com"
forward-addr: 1.1.1.1

# Query google.com from 8.8.4.4 dns server
forward-zone:
name: "google.com"
forward-addr: 8.8.4.4

# Forward all other domains queries to 8.8.8.8
forward-zone:
name: "."
forward-addr: 8.8.8.8

Reload unbound Config

service unbound reload

---

Check UNBOUND service every minute & restart service if required

#!/bin/bash
# Linux BASH Script to check UNBOUND DNS SRV Status, if service not running, it will start it
# Syed Jahanzaib / 14-SEP-2022
#set -x
HOSTNAME=`hostname`
ROLE="DNS"
COMPANY="ZABBO"
DATE=`date`
TMP=temp
ROLE="Unbound-DNS-Service"
SRVNAME="unbound"
# Temporary file holder for host status
LOG="/var/log/dns.log"
SRV_STATUS_HOLDER="/$TMP/$SRVNAME.srv.status.temp.holder.txt"
touch $LOG
touch $TMP
if [ ! -d "/$TMP" ]; then
echo
echo
echo "/$TMP folder not found, Creating it so all ping results should be saved there . . ."
mkdir /$TMP
fi
# Run the script
unbound-control status > $SRV_STATUS_HOLDER
count=`cat $SRV_STATUS_HOLDER | grep "stopped" | wc -l`
if [ $count -eq 1 ]; then
service unbound stop
service unbound start
echo "$DATE - $HOSTNAME - $SRVNAME ($ROLE) found stopped. Script have started it manually."
echo "$DATE - $HOSTNAME - $SRVNAME ($ROLE) found stopped. Script have started it manually." >> $LOG
else
echo "$DATE - $HOSTNAME - $SRVNAME ($ROLE) is running OK."
fi

Schedule it to run every minute by editing crontab -e

*/1 * * * * /temp/chksrv.sh >/dev/null 2>&1

---

Securing DNS by Firewall

It is a good idea to allow only related ports to your unbound box from trusted/local sources only, and deny all other traffic.

mkdir /temp
touch /temp/fw.sh
chmod +x /temp/fw.sh
nano /temp/fw.sh

& paste following

#!/bin/sh
# ------------------------------------
# Syed Jahanzaib / aacable@hotmail.com
# https://aacable.wordpress.com
# Created: January, 2011
# Last Modified: 7th Jan, 2017
# Last Modified: 19th-SEP-2021 [for GT/KH]
# ------------------------------------

# MODIFY THIS NAME IF REQUIRED
ALLOWED_IP_LIST=/temp/allowed_ip_list.txt

###################################
###################################
###################################
### donot modify below this line ###
###################################
###################################

## Setting default filter policy, Use it with CARE / zaib
# Clear old firewall
clear
echo "1- Clearing existing firewall rules, and allow all traffic for the time being ..."
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -F
iptables -X

# LOG everything, not recommended as it can put load on storage, make sure to do proper log rotation if its required
#iptables -A INPUT -j LOG
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

#Allow ICMP
echo "2- Allowing ICMP packet rules ..."
iptables -A INPUT -p icmp --icmp-type 8 -s 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 0 -s 0/0 -d 0/0 -m state --state ESTABLISHED,RELATED -j ACCEPT

## Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

echo "3- Enforcing Firewalling, allowing only particular ports 22,53 to below specific IP pool only ..."
echo "
TCP/UDP PORTS  53,22
.
ALLOWED IP POOL  ... "
cat $ALLOWED_IP_LIST
echo "..."
for x in $(cat $ALLOWED_IP_LIST)
do
# Allow ip range to allow port range access on all interfaces , duplicate this rule as needed
iptables -A INPUT -s $x -p tcp --match multiport --dports 22,53 -j ACCEPT
iptables -A OUTPUT -s $x -p tcp --match multiport --dports 22,53 -j ACCEPT
iptables -A INPUT -s $x -p udp --match multiport --dports 22,53 -j ACCEPT
iptables -A OUTPUT -s $x -p udp --match multiport --dports 22,53 -j ACCEPT

# Allow single IP Address to access port 53
# iptables -A INPUT --src 1.2.3.4 -p tcp --dport 53 -j ACCEPT
done
###################################
## Drop Everything else, use it at your own.
###################################
iptables -A INPUT -j DROP
# script ends here

echo "
Done"

Save & Exit.

Now create a IP pool file in which you will add trusted/local lan/wan ip’s

touch /temp/allowed_ip_list.txt
nano /temp/allowed_ip_list.txt

& add the lan ip’s

10.0.0.0/8
172.16.0.0/16
192.168.0.0/16

Save & Exit. & reload the UNBOUND service

unbound-control reload 
unbound-control status
#service unbound restart
#service unbound status

Don’t forget to add the fw.sh it in /etc/rc.local (before exit 0) line so that it can start on every system reboot.

---

Clearing Firewall

To clear firewall you can use following CMD or make a bash file for convenience.

mkdir /temp
touch /temp/clear_fw.sh
chmod +x /temp/clear_fw.sh
nano /temp/clear_fw.sh

& paste following

#!/bin/sh
# ------------------------------------
# Syed Jahanzaib / aacable@hotmail.com
# https://aacable.wordpress.com
# Created: January, 2011
# Last Modified: 7th Jan, 2017
# Last Modified: 27th-Aug-2021 [for galaxy tech khi/pk]
# ------------------------------------
## Setting default filter policy, Use it with CARE / zaib
# Clear old firewall
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -F
iptables -X

Save & Exit.

to execute use below

• /temp/fw.sh

---

Regard’s
Syed Jahanzaib

 

24.913341 67.003669

Intervlan Routing with Mikrotik DHCP Option 121 & 249

Disclaimer! This is important!

My humble request is that kindly donot consider me as an expert on this stuff, I am NOT certified in anything Mikrotik/Cisco/Linux or Windows. However I have worked with some core networks and I read , research & try stuff all of the time. When you are enslaved by private job & working as one man army, you have to perform many task in which you are not formally trained for. So I am not speaking/posting about stuff I am formerly trained in, I pretty much go with experience and what I have learned on my own. And , If I don’t know something then I read & learn all about it.

So , please don’t hold me/my-postings to be always 100 percent correct. I make mistakes just like everybody else. However – I do my best, learn from my mistakes and try to help others

---

This post is a sequel of Prevent Mikrotik from Chocking with Cisco Inter-Vlan Routing

If you are running mikrotik DHCP along with VLAN, & you want to get benefits of intervlan routing to avoid local traffic (same network but different subnets/vlans) hitting mikrotik by routing local resource requests through switch level directly. There are 2 options to sort this issue. Either provide the static routes for each vlan which becomes useless if you are using pppoe because as soon as client connected with pppoe, it will get preference over your existing default gateway thus all traffic even the local one will be passing via mikrotik resulting in excessive usage of mikrotik resources. This was discussed in details here.

Far better solution is to avoid providing any default routes to DHCP users but assign them CLASSLESS ROUTES for local resources via your DHCP options, either via Cisco or Mikrotik DHCP server. A classless route adds specified route in clients routing table

In this post we will discuss only about Mikrotik DHCP option 121/249.

• 121 – Generally used for devices / Linux / Mikrotik etc. Option 121 is a RFC3442 *standard*.However, note that DHCP Option 121 is ignored by DHCP clients prior to Windows Vista. O
• 249 – It is the pre-standard Microsoft implemented option for Classless Static Routes (CSRs). It was eventually standardized as option 121. I think 249 is for microsoft only.

Personnel Note: Don’t use both.  I think this causes routes to be ignored. If you need to support both older and newer OS, use the option 249.

Scenario:

We assume you have working DHCP for each vlan under Mikrotik.

• Mikrotik interface VLAN-x IP : 192.168.100.1/24
• Cisco switch Vlan-x IP : 192.168.100.2/24
• Mikrotik DHCP assignment for VLAN-x: 192.168.100.10 – 192.168.100.255 [no dns, no gateway]
• Local sharing servers: We have some sharing servers on different subnet on local switch port: 101.0.0.0/8

Now what we want is that our DHCP LAN client 192.168.100.0/24 can access 101.0.0.0/8 via switch intervlan routing directly [via switch vlan port 192.168.100.2]. To achieve this we will assign stateless routes using DHCP options.

Side Note: It strikes me that you have to use classful routes in the Classless Static Routes DHCP Option for older version of windows like XP/2000.

---

Step # 1

To transfer classless routes to the Mikrotik DHCP server, the option with code 121/249 is used First we need to convert IP to hexadecimal HEX code. If you are a beginner you can simply get the ready made code using this site.

https://ip-pro.eu/en/mikrotik_dhcp_option_121_generator

Enter the details as per your local network scheme

For single Subnet:

For multiple Subnet:

You can add ADD NEW ROW to add multiple subnet and gateways to get combined HEX value . Z

Or try

https://billing-beta.galaxy.net.pk/public/option121/

---

Step # 2

Now we got the HEX value & we can use it in mikrotik dhcp option 121-249 .

• Goto IP / DHCP / OPTIONS / + Add new

Note: Make two entries, one for 121 & second for 249. As shown above !

Step # 3

Now we will add the above option in OPTION SETS , we can include multiple options in the OPTION SETS window

• Goto IP / DHCP / OPTION SETS / + Add new

Step # 4

Now goto IP / DHCP / Double Click on required DHCP & under DHCP OPTION SETS, select the option set we created in Step # 4

---

Testing …

At client end, renew the IP and you will get all the routes you configured in above steps.

For single Subnet entry:

===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
101.0.0.0 255.0.0.0 192.168.100.2 192.168.100.254 11 ***************
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.100.0 255.255.255.0 On-link 192.168.100.254 266
192.168.100.254 255.255.255.255 On-link 192.168.100.254 266
192.168.100.255 255.255.255.255 On-link 192.168.100.254 266
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.100.254 266
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.100.254 266
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
1 306 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
For Multiple Subnet entry:
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
10.0.0.0 255.0.0.0 192.168.100.1 192.168.100.254 11 ***************
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
172.16.10.0 255.255.255.0 192.168.100.1 192.168.100.254 11 ***************
192.168.100.0 255.255.255.0 On-link 192.168.100.254 266
192.168.100.254 255.255.255.255 On-link 192.168.100.254 266
192.168.100.255 255.255.255.255 On-link 192.168.100.254 266
221.132.112.8 255.255.255.255 192.168.100.1 192.168.100.254 11 ***************
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.100.254 266
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.100.254 266
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
1 306 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

Regard’s

Syed Jahanzaib
	

Cisco Switch: Upgrading Firmwares & Recovering from Failed ones !

If it ain’t broke, don’t fix it ! So true 🙂 Z@ib

---

---

Quick notes for myself: Disclaimer! This is important!

My humble request is that kindly donot consider me as an expert on this stuff, I am NOT certified in anything Mikrotik/Cisco/Linux or Windows. However I have worked with some core networks and I read , research & try stuff all of the time. When you are enslaved by private job & working as one man army, you have to perform many task in which you are not formally trained for. So I am not speaking/posting about stuff I am formerly trained in, I pretty much go with experience and what I have learned on my own. And , If I don’t know something then I read & learn all about it.

So , please don’t hold me/my-postings to be always 100 percent correct. I make mistakes just like everybody else. However – I do my best, learn from my mistakes and try to help others

Maybe this post will help some other novice like me

Regard’s
Syed Jahanzaib

---

WS-C3650-48PD

Fortunately this model have nice GUI which supports easy upgrade of firmwares , therefore I used it to upgrade to latest stable build Fuji-16.9.4

---

SG300-28PP/SG500-52PP

This model also have nice GUI which supports easy upgrade of firmwares , therefore I used it to upgrade to latest stable build

https://www.cisco.com/c/en/us/support/switches/sg500-52-52-port-gigabit-stackable-managed-switch/model.html#~tab-downloads

---

3750X-48T-S

.

WS-C3750E-24TD

OLD version:

WS-C3750E-24TD     12.2(40)SE

Steps for Upgrade:

First setup new or use existing TFTP server, download the new firmware from

https://software.cisco.com/download/home/280831016/type/280805680/release/15.0.2-SE11?i=!pp

& copy the firmware file (.BIN format) in TFTP root folder. Now from switch console , copy the file from TFTp into switch FLASH

copy tftp: flash:

It will ask the tftp server IP, and source/destination file name, fill them up as per your local scenario

>Address or name of remote host? <IP_ADDRESS_OF_TFTP_SERVER>
>source filename? <IMAGE_NAME.bin>
>Destination filename? <IMAGE_NAME.bin>
conf t
boot system flash:<IMAGE_NAME.bin>
exit
wr
reload

after this switch will reboot , and new firmware will be overwritten.

New version:

Release 15.0.2-SE11 MD

 

---

WS-C3850-24T

Notes:

With this model, I encountered few issues in upgrading 3850 switch.

• Gibralter 16.12.1 ED : 3850 / Switch was doing reboot in loop with following error

Kernel panic – not syncing: VFS: Unable to mount root fs on unknown-block(1,0)

• Fuji 16.9.4 MD : 3850 / Switch Port Orange Light issue

With this upgrade , switch booted but all ports lights runed to amber.

• Denali 16.3.9 MD : 3850 / Well tested , worked OK

Therefore I reverted back to to Denali-16.3.9 which worked fine & stable.

Steps for Upgrade:

First setup new or use existing TFTP server, download the new firmware from

https://www.cisco.com/c/en/us/support/switches/catalyst-3850-24t-s-switch/model.html#~tab-downloads

>Address or name of remote host? <IP_ADDRESS_OF_TFTP_SERVER>
>source filename? <IMAGE_NAME.bin>
>Destination filename? <IMAGE_NAME.bin>
conf t
software install file flash:cat3k_caa-universalk9.16.03.09.SPA.bin new force verbose

after this switch will ask to reload , do so to apply changes

New version:

16.3.9

---

Recovering from IOS FAILED upgrade on 3850 Switch

after the Gibralter firmware upgrade , 3850 switch wen into reboot loop.

Kernel panic – not syncing: VFS: Unable to mount root fs on unknown-block(1,0)

More infor on this issue mentioned here @ https://community.cisco.com/t5/switching/catalyst-c3850-gibraltar-16-12-1-ed/td-p/3907723

After entering recovery mode , I made the situation worsen by deleting some flash files. This is how I recovered from this situation.

from the switch Management port, connect a cable directly to your laptop/desktop & assign any private IP on the system like 192.168.99.1/24. Install any free TFTP server like SOLARWINDS TFTP Server. copy the stable firmware like DENALI 16.0.3.09 in the tftp root folder.

cat3k_caa-universalk9.16.03.09.SPA.bin

Now using any terminal tool like putty, connected to switch via CONSOLE port, press MODE button while booting & entered RECOVERY mode. & issued following CMD’s

• flash_init
• mgmt_init
• set IP_ADDR 192.168.99.2/255.255.255.0
• set default_router 192.168.99.1
• emergency-install tftp://192.168.99.1/cat3k_caa-universalk9.16.03.09.SPA.bin

There was another easy method by connecting USB into usb port of switch, but since switch may not recognize most modern usb’s , therefore I had to take a long route of TFTP.

To read in more details , refere following post

http://blog.unolution.com/networking/how-to-recover-a-cisco-switch-3560x-3750x-from-boot-loader/

---

Regard’s
Syed Jahanzaib