19.1. 基於源或者目的地址過濾
提問 阻止來自某地址或者發送至某地址的數據包
回答
使用標準控制列表來阻止特定源地址的數據包
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#access-list 50 deny host 10.2.2.2
Router1(config)#access-list 50 permit any
Router1(config)#interface Serial0/1
Router1(config-if)#ip access-group 50 in
Router1(config-if)#exit
Router1(config)#end
Router1#
使用擴展控制列表來阻止特定源地址和目的地址的數據包
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#access-list 150 deny ip host 10.2.2.2 host 172.25.25.1
Router1(config)#access-list 150 permit ip any any
Router1(config)#interface Serial0/1
Router1(config-if)#ip access-group 150 in
Router1(config-if)#exit
Router1(config)#end
Router1#
註釋
19.2. 給ACL添加註釋
提問 給控制列表添加註釋方便閱讀
回答
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#access-list 50 remark Authorizing thy trespass with compare Router1(config)#access-list 50 deny host 10.2.2.2
Router1(config)#access-list 50 permit 10.2.2.0 0.0.0.255
Router1(config)#access-list 50 permit any
Router1(config)#end
Router1#
或者
Router2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#ip access-list standard TESTACL
Router2(config-std-nacl)#remark Authorizing thy trespass with compare
Router2(config-std-nacl)#deny host 10.2.2.2
Router2(config-std-nacl)#permit 10.2.2.0 0.0.0.255
Router2(config-std-nacl)#permit any
Router2(config-std-nacl)#end
Router2#
註釋 在show access list命令中是看不到註釋的
19.3. 基於應用過濾
提問 根據不同的應用來進行過濾
回答
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#access-list 151 permit tcp any any eq www
Router1(config)#access-list 151 deny tcp any any gt 1023
Router1(config)#access-list 151 permit icmp any any
Router1(config)#access-list 151 permit udp any any eq ntp
Router1(config)#access-list 151 deny ip any any
Router1(config)#interface Serial0/1
Router1(config-if)#ip access-group 151 in
Router1(config-if)#exit
Router1(config)#end
Router1#
註釋 無
19.4. 基於TCP頭標籤過濾
提問 根據TCP頭字段中的標籤位進行過濾
回答
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#access-list 161 deny tcp any any ack fin psh rst syn urg
Router1(config)#access-list 161 deny tcp any any rst syn
Router1(config)#access-list 161 deny tcp any any rst syn fin
Router1(config)#access-list 161 deny tcp any any rst syn fin ack
Router1(config)#access-list 161 deny tcp any any syn fin
Router1(config)#access-list 161 deny tcp any any syn fin ack
Router1(config)#end
Router1#
從12.3(4)T以後開始啓用新的命令格式
Router2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#ip access-list extended TCPFLAGFILTER
Router2(config-ext-nacl)#deny tcp any any match-all +ack +fin +psh +rst +syn +urg
Router2(config-ext-nacl)#deny tcp any any match-all +rst +syn
Router2(config-ext-nacl)#deny tcp any any match-all +rst +syn +fin
Router2(config-ext-nacl)#deny tcp any any match-all +rst +syn +fin +ack
Router2(config-ext-nacl)#deny tcp any any match-all +syn +fin
Router2(config-ext-nacl)#deny tcp any any match-all +syn +fin +ack
Router2(config-ext-nacl)#end
Router2#
註釋 TCP頭字段中有六種標籤位設置ACK,SYN,FIN,RST,PSH和URG。在新的命令格式中引入了match-all和match-any兩個關鍵詞,match-any和傳統過濾方式一致,只關心特定標誌位設置而不管其他標誌位設置,match-all必須符合特定的標誌位設置。
19.5. 限制TCP會話的方向
提問 過濾TCP會話 只允許客戶端發起應用
回答
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#access-list 148 permit tcp any eq telnet any established
Router1(config)#access-list 148 deny ip any any
Router1(config)#interface FastEthernet0/0
Router1(config-if)#ip access-group 148 in
Router1(config-if)#exit
Router1(config)#end
Router1#
註釋
19.6. 基於多端口應用的過濾
提問 過濾某些開啓多端口的應用
回答
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#access-list 152 permit tcp any any eq ftp
Router1(config)#access-list 152 permit tcp any any eq ftp-data established
Router1(config)#interface FastEthernet0/0
Router1(config-if)#ip access-group 152 in
Router1(config-if)#exit
Router1(config)#end
Router1#
註釋 對於其他多端口的可以使用下面的格式
Router1(config)#access-list 154 permit udp any any range 6000 6063
Router1(config)#access-list 155 deny udp any any gt 1023
Router1(config)#access-list 156 permit udp any any lt 1024
Router1(config)#access-list 157 permit udp any any neq 666
19.7. 基於DSCP和TOS的過濾
提問 根據IP服務質量信息進行過濾
回答
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#access-list 162 permit ip any any dscp af11
Router1(config)#end
或者
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#access-list 162 permit ip any any tos max-reliability
Router1(config)#end
註釋
19.8. 記錄觸發的控制列表
提問 記錄觸發控制列表的包信息
回答
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#access-list 150 permit ip any any log
Router1(config)#interface Serial0/1
Router1(config-if)#ip access-group 150 in
Router1(config-if)#exit
Router1(config)#end
Router1#
更詳細點的信息
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#access-list 150 permit tcp any any log-input
Router1(config)#access-list 150 permit ip any any
Router1(config)#interface Serial0/1
Router1(config-if)#ip access-group 150 in
Router1(config-if)#exit
Router1(config)#end
Router1#
註釋 第一個例子的日誌信息
Feb 6 13:01:19: %SEC-6-IPACCESSLOGRP: list 150 permitted ospf 10.1.1.1 -> 224.0.0.5, 9 packets
Feb 6 13:01:19: %SEC-6-IPACCESSLOGDP: list 150 permitted icmp 10.1.1.1 -> 10.1.1.2 (0/0), 4 packets
第二個例子的日誌信息
Feb 6 14:56:34: %SEC-6-IPACCESSLOGP: list 150 permitted tcp 172.25.1.1(0) (FastEthernet0/0.1 0010.4b09.5700) -> 172.25.25.1(0), 1 packet
注意的是log-input參數只能適應於擴展控制列表
19.9. 記錄TCP會話
提問 記錄TCP會話數目
回答
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#access-list 122 permit tcp any any eq telnet established
Router1(config)#access-list 122 permit tcp any any eq telnet
Router1(config)#access-list 122 permit ip any any
Router1(config)#interface Serial0/0
Router1(config-if)#ip access-group 122 in
Router1(config-if)#exit
Router1(config)#end
Router1#
或者
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#access-list 121 permit tcp any any eq telnet syn
Router1(config)#access-list 121 permit tcp any any eq telnet
Router1(config)#access-list 121 permit ip any any
Router1(config)#interface Serial0/0
Router1(config-if)#ip access-group 121 in
Router1(config-if)#exit
Router1(config)#end
Router1#
註釋 對於第一個例子
Router1#show access-list 122
Extended IP access list 122
permit tcp any any eq telnet established (3843 matches)
permit tcp any any eq telnet (6 matches)
permit ip any any (31937 matches)
Router1#
從輸出可以看到總共有六個Telnet會話通過接口,3,843 + 6 = 3,849 個Telnet數據包
19.10. 分析ACL日誌條目
註釋 使用腳本來分析生成的ACL日誌,暫略
19.11. 使用命名和單反控制列表
提問 在命名控制列表中使用一個單反控制列表
回答
一個基本的命名控制列表類似數字控制列表
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#ip access-list standard STANDARD-ACL
Router1(config-std-nacl)#remark This is a standard ACL
Router1(config-std-nacl)#permit any log
Router1(config-std-nacl)#exit
Router1(config)#ip access-list extended EXTENDED-ACL
Router1(config-ext-nacl)#remark This is an extended ACL
Router1(config-ext-nacl)#deny tcp any any eq www
Router1(config-ext-nacl)#permit ip any any log
Router1(config-ext-nacl)#exit
Router1(config)#interface Serial0/1
Router1(config-if)#ip access-group STANDARD-ACL in
Router1(config-if)#exit
Router1(config)#end
Router1#
下面是在其中內嵌單反控制列表來允許單反向的Ping
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#ip access-list extended PING-OUT
Router1(config-ext-nacl)#permit icmp any any reflect ICMP-REFLECT timeout 15
Router1(config-ext-nacl)#permit ip any any
Router1(config-ext-nacl)#exit
Router1(config)#ip access-list extended PING-IN
Router1(config-ext-nacl)#evaluate ICMP-REFLECT
Router1(config-ext-nacl)#deny icmp any any log
Router1(config-ext-nacl)#permit ip any any
Router1(config-ext-nacl)#exit
Router1(config)#interface Serial0/1
Router1(config-if)#ip access-group PING-OUT out
Router1(config-if)#ip access-group PING-IN in
Router1(config-if)#end
Router1#
註釋 在例子中單反控制列表可以對返回的ICMP Response進行控制
19.12. 處理被動模式FTP
提問 對被動模式的FTP來進行區分
回答
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#access-list 144 permit tcp any gt 1023 any eq ftp
Router1(config)#access-list 144 permit tcp any gt 1023 any gt 1023
Router1(config)#access-list 144 deny ip any any
Router1(config)#interface Serial0/0.1
Router1(config-subif)#ip access-group 144 in
Router1(config-subif)#exit
Router1(config)#end
Router1#
註釋 被動模式下的FTP,客戶端會再對服務器發送一個高於1024端口的鏈接,所以對於此類會話必須開啓所有高於1024的端口,例子中的配置雖然能夠解決此問題,但是減少了安全性,在以後的章節會介紹更有效的處理方式
19.13. 使用基於時間的控制列表
提問 對應用基於時間段進行控制
回答
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#time-range NOSURF
Router1(config-time-range)# periodic weekdays 9:00 to 17:00
Router1(config-time-range)#exit
Router1(config)#ip access-list extended NOSURFING
Router1(config-ext-nacl)# deny tcp any any eq www time-range NOSURF
Router1(config-ext-nacl)# permit ip any any
Router1(config-ext-nacl)#exit
Router1(config)#interface FastEthernet0/1
Router1(config-if)#ip access-group NOSURFING in
Router1(config-if)#end
Router1#
註釋 在時間段的配置上你可以配置多個periodic,
19.14. 基於非連續端口的過濾
提問 配置一種高效的非連續端口的過濾
回答
Router2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#ip access-list extended OREILLY
Router2(config-ext-nacl)#permit tcp any host 172.25.100.100 eq 80 23 25 110 514 21
Router2(config-ext-nacl)#end
Router2#
註釋 通常對於連續端口的過濾可以使用permit tcp any any range 20 25此類的命令,而對於非連續端口的過濾則要使用多個類似permit tcp any host 172.25.100.100 eq 80 的命令,自從12.3(7)T以後則可以使用上例中的配置方式來進行簡化。
19.15. 控制列表編輯
提問 直接對控制列表進行編輯
回答
插入一個條目至現有的控制列表中
Router2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#ip access-list extended OREILLY
Router2(config-ext-nacl)#12 permit tcp any host 172.25.100.100 eq 20
Router2(config-ext-nacl)#end
Router2#
重新對控制列表序列號進行調整
Router2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#ip access-list resequence OREILLY 10 10
Router2(config)#end
Router2#
刪除特定的控制列表條目
Router2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#ip access-list extended OREILLY
Router2(config-ext-nacl)#no 60
Router2(config-ext-nacl)#end
Router2#
註釋 從12.3(2)T以後路由器增加了對控制列表條目序列號的支持,缺省10遞增,這樣可以方便對控制列表進行編輯
Router2#show ip access-lists OREILLY
Extended IP access list OREILLY
10 permit tcp any host 172.25.100.100 eq www
20 permit tcp any host 172.25.100.100 eq telnet
30 permit tcp any host 172.25.100.100 eq smtp
40 permit tcp any host 172.25.100.100 eq pop3
50 permit tcp any host 172.25.100.100 eq cmd
19.16. 基於IPv6過濾
提問 對Ipv6的數據包進行過濾
回答
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#ipv6 access-list EXAMPLES
Router1(config-ipv6-acl)#permit ipv6 AAAA:5::/64 any
Router1(config-ipv6-acl)#permit ipv6 host AAAA:5::FE:1 any
Router1(config-ipv6-acl)#permit tcp any any eq telnet established
Router1(config-ipv6-acl)#deny tcp any any eq telnet syn
Router1(config-ipv6-acl)#sequence 55 permit udp any any eq snmp
Router1(config-ipv6-acl)#remark this is a comment
Router1(config-ipv6-acl)#sequence 66 remark this comment has a sequence number
Router1(config-ipv6-acl)#permit icmp any any reflect ICMP-REFLECT
Router1(config-ipv6-acl)#deny ipv6 any host AAAA:6::1 log
Router1(config-ipv6-acl)#deny ipv6 any any log-input
Router1(config-ipv6-acl)#exit
Router1(config)#interface FastEthernet0/0
Router1(config-if)#ipv6 traffic-filter EXAMPLES in
Router1(config-if)#exit
Router1(config)#end
Router1#
註釋 Ipv6過濾只能使用命名式控制列表,當然也繼承了命名式控制列表的所有優點。
Cisco IOS Cookbook 中文精簡版 19-23 訪問列表
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章