1. Trang chủ
  2. » Công Nghệ Thông Tin

CHƯƠNG 6: ACL VÀ VÍ DỤ

18 111 0

Đang tải... (xem toàn văn)

Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống

THÔNG TIN TÀI LIỆU

Thông tin cơ bản

Định dạng
Số trang 18
Dung lượng 286,57 KB

Nội dung

Access Control Lists (ACL) ACL Packet filtering rules (stateless) Based on layer header (2nd, 3rd and 4th layer) Passing the rules from first to last In the case of matched rule the rest is skipped Choosing the interface which ACL is stuck to Inbound interface – no need to route dropped packets Outbound interface – uniform processing regardless of packet source Closing rule Drop all – implicit; what is not allowed it is denied Let all through – possible to be set manually, atypical It is always needed to allow a backward direction (SRC↔DST)! ACL building If creating ACL, we have to answer these question first: To filter on in-going or out-going way from/to router? Which router interface is optimal? What protocols will be allowed, from where to where, what are their port numbers? Is it better to deny something and allow the rest, or the opposite? ACL – example Deny all traffic which is not addressed to ISP proxy server 40.0.0.1 ACL – example Deny all traffic which is not addressed to ISP proxy server 40.0.0.1 Out-going direction Order Allow/ Protocol Source IP deny allow IP * deny IP * Source Destination Destin port IP port 40.0.0.1 * In-going direction Order Allow/ Protocol Source IP deny allow IP 40.0.0.1 deny IP * Source Destination Destin port IP port * * ACL – example Allow DNS and HTTP(S) protocols to Internet ACL – example Allow DNS and HTTP(S) protocols to Internet Out-going direction Order Allow/ Destination Protocol Source IP Source IP deny IP allow allow allow allow deny UDP TCP TCP TCP IP * * * * * * * * * * * * * * Destin Port 53 53 80 443 In-going direction Order Allow/ Destination Protocol Source IP Source IP deny IP povolit povolit povolit povolit zakázat UDP TCP TCP TCP IP * * * * * 53 53 80 443 * * * * * Destin Port * * * * Defining ACL entries CISCO access-list {permit|deny} [] [] [protocol dependent parameters] Wildcard mask says, which address bit should be ignored and which not 0=compare, 1=ignore „Inverse subnet mask“ TCP, UDP port: {eq|gt|lt} Protocol dependent parameters ICMP message types (echo, echo-reply, …) If TCP session has to be already established (established) Syntax shortcuts any any IP address + wildcard mask 255.255.255.255 * host X.X.X.X IP address X.X.X.X + wildcard mask 0.0.0.0 Example: permit tcp host 158.196.100.100 any eq 80 Sticking ACL to interface interface ip access-group {in|out} ACL is assigned to particular interface by identification number in – filters the traffic coming to the inteface (entering the router) out – filters the traffic going from interface (leaving the router) ACL – example Deny all traffic which is not addressed to ISP proxy server 40.0.0.1 Out-going direction access-list 101 permit ip any host 40.0.0.1 interface e0 ip access-group 101 in In-going direction access-list 102 permit ip host 40.0.0.1 any interface e0 ip access-group 102 out ACL – example Allow DNS and HTTP(S) protocols to Internet Out-going direction access-list access-list access-list access-list 103 103 103 103 permit permit permit permit udp tcp tcp tcp any any any any any any any any udp tcp tcp tcp any any any any eq eq eq eq eq eq eq eq 53 53 80 443 In-going direction access-list access-list access-list access-list 104 104 104 104 permit permit permit permit 53 53 80 443 any any established any established any established ACL – example Deny ICMP traffic for network 10.0.20.0/24 except usage of command ping to public network ACL – example Deny ICMP traffic for network 10.0.20.0/24 except usage of command ping to public network Out-going direction access-list 105 permit icmp 10.0.20.0 0.0.0.255 any echo access-list 105 deny icmp 10.0.20.0 0.0.0.255 any access-list 105 permit ip any any In-going direction access-list 106 permit icmp any 10.0.20.0 0.0.0.255 echo-reply access-list 106 deny icmp any 10.0.20.0 0.0.0.255 access-list 106 permit ip any any ACL – example Allow the access from outside to POP3 servers in network 100.10.20.40/30 and to SMTP server 100.10.20.45 ACL – example Allow the access from outside to POP3 servers in network 100.10.20.40/30 and to SMTP server 100.10.20.45 Out-going direction access-list 107 permit tcp 100.10.20.40 0.0.0.3 eq 110 any established access-list 107 permit tcp host 100.10.20.45 eq 25 any established access-list 107 permit tcp host 100.10.20.45 any eq 25 (rules allowing the access to DNS servers should follow) In-going direction access-list 108 permit tcp any 100.10.20.40 0.0.0.3 eq 110 access-list 108 permit tcp any host 100.10.20.45 eq 25 access-list 108 permit tcp any eq 25 host 100.10.20.45 established (rules allowing the access to DNS servers should follow) ACL – example 5+6 Avoid the packets to leave private network 192.168.0.0/16 Avoid faked packets of network 192.168.0.0/16 from the outside to enter private network (antispoofing filter) ACL – example 5+6 Avoid the packets to leave private network 192.168.0.0/16 (Just) out-going direction access-list 109 deny ip 192.168.0.0 0.0.255.255 any access-list 109 permit ip any any Example (Just) in-going direction access-list 110 deny ip 192.168.0.0 0.0.255.255 any access-list 110 permit ip any any ... any access-list 105 permit ip any any In-going direction access-list 1 06 permit icmp any 10.0.20.0 0.0.0.255 echo-reply access-list 1 06 deny icmp any 10.0.20.0 0.0.0.255 access-list 1 06 permit... 5 +6 Avoid the packets to leave private network 192. 168 .0.0/ 16 (Just) out-going direction access-list 109 deny ip 192. 168 .0.0 0.0.255.255 any access-list 109 permit ip any any Example (Just) in-going... follow) ACL – example 5 +6 Avoid the packets to leave private network 192. 168 .0.0/ 16 Avoid faked packets of network 192. 168 .0.0/ 16 from the outside to enter private network (antispoofing filter) ACL

Ngày đăng: 22/02/2019, 08:32

TỪ KHÓA LIÊN QUAN

w