Cisco IOS Cookbook 中文精简版第十九章 访问列表

1/6/2008来源:Cisco网络人气:9772

19.1.  基于源或者目的地址过滤

提问 阻止来自某地址或者发送至某地址的数据包

回答

使用标准控制列表来阻止特定源地址的数据包

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#access-list 50 deny host 10.2.2.2

Router1(config)#access-list 50 permit any

Router1(config)#interface Serial0/1

Router1(config-if)#ip access-group 50 in

Router1(config-if)#exit

Router1(config)#end

Router1#

使用扩展控制列表来阻止特定源地址和目的地址的数据包

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#access-list 150 deny ip host 10.2.2.2 host 172.25.25.1

Router1(config)#access-list 150 permit ip any any

Router1(config)#interface Serial0/1

Router1(config-if)#ip access-group 150 in

Router1(config-if)#exit

Router1(config)#end

Router1#

注释

19.2.  给ACL添加注释

提问 给控制列表添加注释方便阅读

回答

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#access-list 50 remark Authorizing thy trespass with compare Router1(config)#access-list 50 deny host 10.2.2.2

Router1(config)#access-list 50 permit 10.2.2.0 0.0.0.255

Router1(config)#access-list 50 permit any

Router1(config)#end

Router1#

或者

Router2#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router2(config)#ip access-list standard TESTACL      


Router2(config-std-nacl)#remark Authorizing thy trespass with compare

Router2(config-std-nacl)#deny host 10.2.2.2

Router2(config-std-nacl)#permit 10.2.2.0 0.0.0.255

Router2(config-std-nacl)#permit any

Router2(config-std-nacl)#end

Router2#

注释 在show access list命令中是看不到注释的

19.3.  基于应用过滤

提问 根据不同的应用来进行过滤

回答

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#access-list 151 permit tcp any any eq www

Router1(config)#access-list 151 deny tcp any any gt 1023

Router1(config)#access-list 151 permit icmp any any

Router1(config)#access-list 151 permit udp any any eq ntp

Router1(config)#access-list 151 deny ip any any

Router1(config)#interface Serial0/1

Router1(config-if)#ip access-group 151 in

Router1(config-if)#exit

Router1(config)#end

Router1#

注释 无

19.4.  基于TCP头标签过滤

提问 根据TCP头字段中的标签位进行过滤

回答

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#access-list 161 deny tcp any any ack fin psh rst syn urg

Router1(config)#access-list 161 deny tcp any any rst syn

Router1(config)#access-list 161 deny tcp any any rst syn fin

Router1(config)#access-list 161 deny tcp any any rst syn fin ack

Router1(config)#access-list 161 deny tcp any any syn fin

Router1(config)#access-list 161 deny tcp any any syn fin ack

Router1(config)#end

Router1#

从12.3(4)T以后开始启用新的命令格式

Router2#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router2(config)#ip access-list extended TCPFLAGFILTER


Router2(config-ext-nacl)#deny tcp any any match-all +ack +fin +psh +rst +syn +urg     

Router2(config-ext-nacl)#deny tcp any any match-all +rst +syn                   

Router2(config-ext-nacl)#deny tcp any any match-all +rst +syn +fin

Router2(config-ext-nacl)#deny tcp any any match-all +rst +syn +fin +ack

Router2(config-ext-nacl)#deny tcp any any match-all +syn +fin         

Router2(config-ext-nacl)#deny tcp any any match-all +syn +fin +ack

Router2(config-ext-nacl)#end

Router2#

注释 TCP头字段中有六种标签位设置ACK,SYN,FIN,RST,PSH和URG。在新的命令格式中引入了match-all和match-any两个要害词,match-any和传统过滤方式一致,只关心特定标志位设置而不管其他标志位设置,match-all必须符合特定的标志位设置。

19.5.  限制TCP会话的方向

提问 过滤TCP会话 只答应客户端发起应用

回答

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#access-list 148 permit tcp any eq telnet any established

Router1(config)#access-list 148 deny ip any any

Router1(config)#interface FastEthernet0/0

Router1(config-if)#ip access-group 148 in

Router1(config-if)#exit

Router1(config)#end

Router1#

注释

19.6.  基于多端口应用的过滤

提问 过滤某些开启多端口的应用

回答

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#access-list 152 permit tcp any any eq FTP

Router1(config)#access-list 152 permit tcp any any eq ftp-data established

Router1(config)#interface FastEthernet0/0

Router1(config-if)#ip access-group 152 in

Router1(config-if)#exit

Router1(config)#end

Router1#

注释 对于其他多端口的可以使用下面的格式


Router1(config)#access-list 154 permit udp any any range 6000 6063

Router1(config)#access-list 155 deny udp any any gt 1023

Router1(config)#access-list 156 permit udp any any lt 1024

Router1(config)#access-list 157 permit udp any any neq 666

19.7.  基于DSCP和TOS的过滤

提问 根据IP服务质量信息进行过滤

回答

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#access-list 162 permit ip any any dscp af11

Router1(config)#end

或者

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#access-list 162 permit ip any any tos max-reliability

Router1(config)#end

 

注释

19.8.  记录触发的控制列表

提问 记录触发控制列表的包信息

回答

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#access-list 150 permit ip any any log

Router1(config)#interface Serial0/1

Router1(config-if)#ip access-group 150 in

Router1(config-if)#exit

Router1(config)#end

Router1#

更具体点的信息

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#access-list 150 permit tcp any any log-input

Router1(config)#access-list 150 permit ip any any

Router1(config)#interface Serial0/1

Router1(config-if)#ip access-group 150 in

Router1(config-if)#exit

Router1(config)#end

Router1#

注释 第一个例子的日志信息

Feb  6 13:01:19: %SEC-6-IPACCESSLOGRP: list 150 permitted ospf 10.1.1.1 -> 224.0.0.5, 9 packets


Feb  6 13:01:19: %SEC-6-IPACCESSLOGDP: list 150 permitted icmp 10.1.1.1 -> 10.1.1.2 (0/0), 4 packets

第二个例子的日志信息

Feb  6 14:56:34: %SEC-6-IPACCESSLOGP: list 150 permitted tcp 172.25.1.1(0) (FastEthernet0/0.1 0010.4b09.5700) -> 172.25.25.1(0), 1 packet

注重的是log-input参数只能适应于扩展控制列表

19.9.  记录TCP会话

提问 记录TCP会话数目

回答

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#access-list 122 permit tcp any any eq telnet established

Router1(config)#access-list 122 permit tcp any any eq telnet

Router1(config)#access-list 122 permit ip any any

Router1(config)#interface Serial0/0

Router1(config-if)#ip access-group 122 in

Router1(config-if)#exit

Router1(config)#end

Router1#

或者

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#access-list 121 permit tcp any any eq telnet syn

Router1(config)#access-list 121 permit tcp any any eq telnet

Router1(config)#access-list 121 permit ip any any

Router1(config)#interface Serial0/0

Router1(config-if)#ip access-group 121 in

Router1(config-if)#exit

Router1(config)#end

Router1#

注释 对于第一个例子

Router1#show access-list 122

Extended IP access list 122

    permit tcp any any eq telnet established (3843 matches)

    permit tcp any any eq telnet (6 matches)

    permit ip any any (31937 matches)

Router1#

从输出可以看到总共有六个Telnet会话通过接口,3,843 + 6 = 3,849 个Telnet数据包

19.10.  分析ACL日志条目

注释 使用脚本来分析生成的ACL日志,暂略


19.11.  使用命名和单反控制列表

提问 在命名控制列表中使用一个单反控制列表

回答

一个基本的命名控制列表类似数字控制列表

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#ip access-list standard STANDARD-ACL

Router1(config-std-nacl)#remark This is a standard ACL

Router1(config-std-nacl)#permit any log

Router1(config-std-nacl)#exit

Router1(config)#ip access-list extended EXTENDED-ACL

Router1(config-ext-nacl)#remark This is an extended ACL

Router1(config-ext-nacl)#deny tcp any any eq www

Router1(config-ext-nacl)#permit ip any any log

Router1(config-ext-nacl)#exit

Router1(config)#interface Serial0/1

Router1(config-if)#ip access-group STANDARD-ACL in

Router1(config-if)#exit

Router1(config)#end

Router1#

下面是在其中内嵌单反控制列表来答应单反向的Ping

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#ip access-list extended PING-OUT

Router1(config-ext-nacl)#permit icmp any any reflect ICMP-REFLECT timeout 15

Router1(config-ext-nacl)#permit ip any any

Router1(config-ext-nacl)#exit

Router1(config)#ip access-list extended PING-IN

Router1(config-ext-nacl)#evaluate ICMP-REFLECT

Router1(config-ext-nacl)#deny icmp any any log

Router1(config-ext-nacl)#permit ip any any

Router1(config-ext-nacl)#exit

Router1(config)#interface Serial0/1

Router1(config-if)#ip access-group PING-OUT out

Router1(config-if)#ip access-group PING-IN in

Router1(config-if)#end

Router1#

注释 在例子中单反控制列表可以对返回的ICMP Response进行控制

19.12.  处理被动模式FTP


提问 对被动模式的FTP来进行区分

回答

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#access-list 144 permit tcp any gt 1023 any eq ftp

Router1(config)#access-list 144 permit tcp any gt 1023 any gt 1023

Router1(config)#access-list 144 deny ip any any                  

Router1(config)#interface Serial0/0.1   

Router1(config-subif)#ip access-group 144 in

Router1(config-subif)#exit

Router1(config)#end

Router1#

注释 被动模式下的FTP,客户端会再对服务器发送一个高于1024端口的链接,所以对于此类会话必须开启所有高于1024的端口,例子中的配置虽然能够解决此问题,但是减少了安全性,在以后的章节会介绍更有效的处理方式

19.13.  使用基于时间的控制列表

提问 对应用基于时间段进行控制

回答

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#time-range NOSURF

Router1(config-time-range)# periodic weekdays 9:00 to 17:00

Router1(config-time-range)#exit

Router1(config)#ip access-list extended NOSURFING

Router1(config-ext-nacl)# deny   tcp any any eq www time-range NOSURF

Router1(config-ext-nacl)# permit ip any any

Router1(config-ext-nacl)#exit

Router1(config)#interface FastEthernet0/1

Router1(config-if)#ip access-group NOSURFING in

Router1(config-if)#end

Router1#

注释 在时间段的配置上你可以配置多个periodic,

19.14.  基于非连续端口的过滤

提问 配置一种高效的非连续端口的过滤

回答

Router2#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router2(config)#ip access-list extended OREILLY


Router2(config-ext-nacl)#permit tcp any host 172.25.100.100 eq 80 23 25 110 514 21

Router2(config-ext-nacl)#end

Router2#

注释 通常对于连续端口的过滤可以使用permit tcp any any range 20 25此类的命令,而对于非连续端口的过滤则要使用多个类似permit tcp any host 172.25.100.100 eq 80 的命令,自从12.3(7)T以后则可以使用上例中的配置方式来进行简化。

19.15.  控制列表编辑

提问 直接对控制列表进行编辑

回答

插入一个条目至现有的控制列表中

Router2#configure terminal         

Enter configuration commands, one per line.  End with CNTL/Z.

Router2(config)#ip access-list extended OREILLY        

Router2(config-ext-nacl)#12 permit tcp any host 172.25.100.100 eq 20

Router2(config-ext-nacl)#end

Router2#

重新对控制列表序列号进行调整

Router2#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router2(config)#ip access-list resequence OREILLY 10 10

Router2(config)#end

Router2#

删除特定的控制列表条目

Router2#configure terminal         

Enter configuration commands, one per line.  End with CNTL/Z.

Router2(config)#ip access-list extended OREILLY           

Router2(config-ext-nacl)#no 60

Router2(config-ext-nacl)#end

Router2#

注释 从12.3(2)T以后路由器增加了对控制列表条目序列号的支持,缺省10递增,这样可以方便对控制列表进行编辑

Router2#show ip access-lists OREILLY

Extended IP access list OREILLY

    10 permit tcp any host 172.25.100.100 eq www

    20 permit tcp any host 172.25.100.100 eq telnet

    30 permit tcp any host 172.25.100.100 eq smtp

    40 permit tcp any host 172.25.100.100 eq pop3

    50 permit tcp any host 172.25.100.100 eq cmd


 

<!--[if !supportLists]-->19.16.       <!--[endif]-->基于IPv6过滤

提问 对Ipv6的数据包进行过滤

回答

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#ipv6 access-list EXAMPLES

Router1(config-ipv6-acl)#permit ipv6 AAAA:5::/64 any

Router1(config-ipv6-acl)#permit ipv6 host AAAA:5::FE:1 any

Router1(config-ipv6-acl)#permit tcp any any eq telnet established

Router1(config-ipv6-acl)#deny tcp any any eq telnet syn

Router1(config-ipv6-acl)#sequence 55 permit udp any any eq snmp

Router1(config-ipv6-acl)#remark this is a comment

Router1(config-ipv6-acl)#sequence 66 remark this comment has a sequence number

Router1(config-ipv6-acl)#permit icmp any any reflect ICMP-REFLECT

Router1(config-ipv6-acl)#deny ipv6 any host AAAA:6::1 log

Router1(config-ipv6-acl)#deny ipv6 any any log-input

Router1(config-ipv6-acl)#exit

Router1(config)#interface FastEthernet0/0

Router1(config-if)#ipv6 traffic-filter EXAMPLES in

Router1(config-if)#exit

Router1(config)#end

Router1#

注释 Ipv6过滤只能使用命名式控制列表,当然也继续了命名式控制列表的所有优点。