19.1. 基于源或者目的地址过滤
提问 阻止来自某地址或者发送至某地址的数据包
回答
使用标准控制列表来阻止特定源地址的数据包
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#Access-list 50 deny host 10.2.2.2
Router1(config)#access-list 50 permit any
Router1(config)#interface Serial0/1
Router1(config-if)#ip access-group 50 in
Router1(config-if)#exit
Router1(config)#end
Router1#
使用扩展控制列表来阻止特定源地址和目的地址的数据包
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#access-list 150 deny ip host 10.2.2.2 host 172.25.25.1
Router1(config)#access-list 150 permit ip any any
Router1(config)#interface Serial0/1
Router1(config-if)#ip access-group 150 in
Router1(config-if)#exit
Router1(config)#end
Router1#
注释
19.2. 给ACL添加注释
提问 给控制列表添加注释方便阅读
回答
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#access-list 50 remark Authorizing thy trespass with compare Router1(config)#access-list 50 deny host 10.2.2.2
Router1(config)#access-list 50 permit 10.2.2.0 0.0.0.255
Router1(config)#access-list 50 permit any
Router1(config)#end
Router1#
或者
Router2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#ip access-list standard TESTACL
Router2(config-std-nacl)#remark Authorizing thy trespass with compare
Router2(config-std-nacl)#deny host 10.2.2.2
Router2(config-std-nacl)#permit 10.2.2.0 0.0.0.255
Router2(config-std-nacl)#permit any
Router2(config-std-nacl)#end
Router2#
注释 在show access list命令中是看不到注释的
19.3. 基于应用过滤
提问 根据不同的应用来进行过滤
回答
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#access-list 151 permit tcp any any eq www
Router1(config)#access-list 151 deny tcp any any gt 1023
Router1(config)#access-list 151 permit icmp any any
Router1(config)#access-list 151 permit udp any any eq ntp
Router1(config)#access-list 151 deny ip any any
Router1(config)#interface Serial0/1
Router1(config-if)#ip access-group 151 in
Router1(config-if)#exit
Router1(config)#end
Router1#
注释 无
19.4. 基于TCP头标签过滤
提问 根据TCP头字段中的标签位进行过滤
回答
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#access-list 161 deny tcp any any ack fin psh rst syn urg
Router1(config)#access-list 161 deny tcp any any rst syn
Router1(config)#access-list 161 deny tcp any any rst syn fin
Router1(config)#access-list 161 deny tcp any any rst syn fin ack
Router1(config)#access-list 161 deny tcp any any syn fin
Router1(config)#access-list 161 deny tcp any any syn fin ack
Router1(config)#end
Router1#
从12.3(4)T以后开始启用新的命令格式
Router2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#ip access-list extended TCPFLAGFILTER
Router2(config-ext-nacl)#deny tcp any any match-all +ack +fin +psh +rst +syn +urg
Router2(config-ext-nacl)#deny tcp any any match-all +rst +syn
Router2(config-ext-nacl)#deny tcp any any match-all +rst +syn +fin
Router2(config-ext-nacl)#deny tcp any any match-all +rst +syn +fin +ack
Router2(config-ext-nacl)#deny tcp any any match-all +syn +fin
Router2(config-ext-nacl)#deny tcp any any match-all +syn +fin +ack
Router2(config-ext-nacl)#end
Router2#
注释 TCP头字段中有六种标签位设置ACK,SYN,FIN,RST,PSH和URG。在新的命令格式中引入了match-all和match-any两个要害词,match-any和传统过滤方式一致,只关心特定标志位设置而不管其他标志位设置,match-all必须符合特定的标志位设置。
19.5. 限制TCP会话的方向
提问 过滤TCP会话 只答应客户端发起应用
回答
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#access-list 148 permit tcp any eq telnet any established
Router1(config)#access-list 148 deny ip any any
Router1(config)#interface FastEthernet0/0
Router1(config-if)#ip access-group 148 in
Router1(config-if)#exit
Router1(config)#end
Router1#
注释
19.6. 基于多端口应用的过滤
提问 过滤某些开启多端口的应用
回答
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#access-list 152 permit tcp any any eq FTP
Router1(config)#access-list 152 permit tcp any any eq ftp-data established
Router1(config)#interface FastEthernet0/0
Router1(config-if)#ip access-group 152 in
Router1(config-if)#exit
Router1(config)#end
Router1#
注释 对于其他多端口的可以使用下面的格式
Router1(config)#access-list 154 permit udp any any range 6000 6063
Router1(config)#access-list 155 deny udp any any gt 1023
Router1(config)#access-list 156 permit udp any any lt 1024
Router1(config)#access-list 157 permit udp any any neq 666
19.7. 基于DSCP和TOS的过滤
提问 根据IP服务质量信息进行过滤
回答
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#access-list 162 permit ip any any dscp af11
Router1(config)#end
或者
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#access-list 162 permit ip any any tos max-reliability
Router1(config)#end
注释
19.8. 记录触发的控制列表
提问 记录触发控制列表的包信息
回答
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#access-list 150 permit ip any any log
Router1(config)#interface Serial0/1
Router1(config-if)#ip access-group 150 in
Router1(config-if)#exit
Router1(config)#end
Router1#
更具体点的信息
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#access-list 150 permit tcp any any log-input
Router1(config)#access-list 150 permit ip any any
Router1(config)#interface Serial0/1
Router1(config-if)#ip access-group 150 in
Router1(config-if)#exit
Router1(config)#end
Router1#
注释 第一个例子的日志信息
Feb 6 13:01:19: %SEC-6-IPACCESSLOGRP: list 150 permitted ospf 10.1.1.1 -> 224.0.0.5, 9 packets
Feb 6 13:01:19: %SEC-6-IPACCESSLOGDP: list 150 permitted icmp 10.1.1.1 -> 10.1.1.2 (0/0), 4 packets
第二个例子的日志信息
Feb 6 14:56:34: %SEC-6-IPACCESSLOGP: list 150 permitted tcp 172.25.1.1(0) (FastEthernet0/0.1 0010.4b09.5700) -> 172.25.25.1(0), 1 packet
注重的是log-input参数只能适应于扩展控制列表
19.9. 记录TCP会话
提问 记录TCP会话数目
回答
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#access-list 122 permit tcp any any eq telnet established
Router1(config)#access-list 122 permit tcp any any eq telnet
Router1(config)#access-list 122 permit ip any any
Router1(config)#interface Serial0/0
Router1(config-if)#ip access-group 122 in
Router1(config-if)#exit
Router1(config)#end
Router1#
或者
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#access-list 121 permit tcp any any eq telnet syn
Router1(config)#access-list 121 permit tcp any any eq telnet
Router1(config)#access-list 121 permit ip any any
Router1(config)#interface Serial0/0
Router1(config-if)#ip access-group 121 in
Router1(config-if)#exit
Router1(config)#end
Router1#
注释 对于第一个例子
Router1#show access-list 122
Extended IP access list 122
permit tcp any any eq telnet established (3843 matches)
permit tcp any any eq telnet (6 matches)
permit ip any any (31937 matches)
Router1#
从输出可以看到总共有六个Telnet会话通过接口,3,843 + 6 = 3,849 个Telnet数据包
19.10. 分析ACL日志条目
注释 使用脚本来分析生成的ACL日志,暂略
19.11. 使用命名和单反控制列表
提问 在命名控制列表中使用一个单反控制列表
回答
一个基本的命名控制列表类似数字控制列表
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#ip access-list standard STANDARD-ACL
Router1(config-std-nacl)#remark This is a standard ACL
Router1(config-std-nacl)#permit any log
Router1(config-std-nacl)#exit
Router1(config)#ip access-list extended EXTENDED-ACL
Router1(config-ext-nacl)#remark This is an extended ACL
Router1(config-ext-nacl)#deny tcp any any eq www
Router1(config-ext-nacl)#permit ip any any log
Router1(config-ext-nacl)#exit
Router1(config)#interface Serial0/1
Router1(config-if)#ip access-group STANDARD-ACL in
Router1(config-if)#exit
Router1(config)#end
Router1#
下面是在其中内嵌单反控制列表来答应单反向的Ping
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#ip access-list extended PING-OUT
Router1(config-ext-nacl)#permit icmp any any reflect ICMP-REFLECT timeout 15
Router1(config-ext-nacl)#permit ip any any
Router1(config-ext-nacl)#exit
Router1(config)#ip access-list extended PING-IN
Router1(config-ext-nacl)#evaluate ICMP-REFLECT
Router1(config-ext-nacl)#deny icmp any any log
Router1(config-ext-nacl)#permit ip any any
Router1(config-ext-nacl)#exit
Router1(config)#interface Serial0/1
Router1(config-if)#ip access-group PING-OUT out
Router1(config-if)#ip access-group PING-IN in
Router1(config-if)#end
Router1#
注释 在例子中单反控制列表可以对返回的ICMP Response进行控制
19.12. 处理被动模式FTP
提问 对被动模式的FTP来进行区分
回答
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#access-list 144 permit tcp any gt 1023 any eq ftp
Router1(config)#access-list 144 permit tcp any gt 1023 any gt 1023
Router1(config)#access-list 144 deny ip any any
Router1(config)#interface Serial0/0.1
Router1(config-subif)#ip access-group 144 in
Router1(config-subif)#exit
Router1(config)#end
Router1#
注释 被动模式下的FTP,客户端会再对服务器发送一个高于1024端口的链接,所以对于此类会话必须开启所有高于1024的端口,例子中的配置虽然能够解决此问题,但是减少了安全性,在以后的章节会介绍更有效的处理方式
19.13. 使用基于时间的控制列表
提问 对应用基于时间段进行控制
回答
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#time-range NOSURF
Router1(config-time-range)# periodic weekdays 9:00 to 17:00
Router1(config-time-range)#exit
Router1(config)#ip access-list extended NOSURFING
Router1(config-ext-nacl)# deny tcp any any eq www time-range NOSURF
Router1(config-ext-nacl)# permit ip any any
Router1(config-ext-nacl)#exit
Router1(config)#interface FastEthernet0/1
Router1(config-if)#ip access-group NOSURFING in
Router1(config-if)#end
Router1#
注释 在时间段的配置上你可以配置多个periodic,
19.14. 基于非连续端口的过滤
提问 配置一种高效的非连续端口的过滤
回答
Router2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#ip access-list extended OREILLY
Router2(config-ext-nacl)#permit tcp any host 172.25.100.100 eq 80 23 25 110 514 21
Router2(config-ext-nacl)#end
Router2#
注释 通常对于连续端口的过滤可以使用permit tcp any any range 20 25此类的命令,而对于非连续端口的过滤则要使用多个类似permit tcp any host 172.25.100.100 eq 80 的命令,自从12.3(7)T以后则可以使用上例中的配置方式来进行简化。
19.15. 控制列表编辑
提问 直接对控制列表进行编辑
回答
插入一个条目至现有的控制列表中
Router2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#ip access-list extended OREILLY
Router2(config-ext-nacl)#12 permit tcp any host 172.25.100.100 eq 20
Router2(config-ext-nacl)#end
Router2#
重新对控制列表序列号进行调整
Router2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#ip access-list resequence OREILLY 10 10
Router2(config)#end
Router2#
删除特定的控制列表条目
Router2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#ip access-list extended OREILLY
Router2(config-ext-nacl)#no 60
Router2(config-ext-nacl)#end
Router2#
注释 从12.3(2)T以后路由器增加了对控制列表条目序列号的支持,缺省10递增,这样可以方便对控制列表进行编辑
Router2#show ip access-lists OREILLY
Extended IP access list OREILLY
10 permit tcp any host 172.25.100.100 eq www
20 permit tcp any host 172.25.100.100 eq telnet
30 permit tcp any host 172.25.100.100 eq smtp
40 permit tcp any host 172.25.100.100 eq pop3
50 permit tcp any host 172.25.100.100 eq cmd
<!--[if !supportLists]-->19.16. <!--[endif]-->基于IPv6过滤
提问 对Ipv6的数据包进行过滤
回答
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#ipv6 access-list EXAMPLES
Router1(config-ipv6-acl)#permit ipv6 AAAA:5::/64 any
Router1(config-ipv6-acl)#permit ipv6 host AAAA:5::FE:1 any
Router1(config-ipv6-acl)#permit tcp any any eq telnet established
Router1(config-ipv6-acl)#deny tcp any any eq telnet syn
Router1(config-ipv6-acl)#sequence 55 permit udp any any eq snmp
Router1(config-ipv6-acl)#remark this is a comment
Router1(config-ipv6-acl)#sequence 66 remark this comment has a sequence number
Router1(config-ipv6-acl)#permit icmp any any reflect ICMP-REFLECT
Router1(config-ipv6-acl)#deny ipv6 any host AAAA:6::1 log
Router1(config-ipv6-acl)#deny ipv6 any any log-input
Router1(config-ipv6-acl)#exit
Router1(config)#interface FastEthernet0/0
Router1(config-if)#ipv6 traffic-filter EXAMPLES in
Router1(config-if)#exit
Router1(config)#end
Router1#
注释 Ipv6过滤只能使用命名式控制列表,当然也继续了命名式控制列表的所有优点。