网络安全学习--ACL

Posted 丢爸

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了网络安全学习--ACL相关的知识,希望对你有一定的参考价值。

ACL

  • ACL(Access Control List)访问控制列表
  • ACL是一种包过滤技术
    ACL基于IP包头的IP地址、四层TCP/UDP头部的端口号,基于三、四层过滤
  • ACL在路由器上配置,也可在防火墙上配置(一般称为策略)
ACL分类
  • 标准ACL
  • 扩展ACL
标准ACL
  • 表号:1-99
  • 特点:只能基于源IP对包进行过滤
  • 命令:
    反子网掩码:
  • 将正子网掩码0和1倒置
  • 作用:用来匹配,与0对应的需要严格匹配,与1对应的忽略
#该条目用于拒绝源IP以10开头的
access-list 1 deny 10.0.0.0 0.255.255.255
#拒绝所有源IP为10.1.1.1的主机
access-list 1 deny 10.1.1.1 0.0.0.0
access-list 1 deny host 10.1.1.1
#拒绝所有
access-list 1 deny 0.0.0.0 0.0.0.0
access-list 1 deny any
#查看ACL表
show ip access-list [表ID]
#将ACL应用至接口
interface fa0/x
ip access-group 表号 in/out
exit
扩展ACL
  • 表号:100 - 199
  • 特点:可以基于源IP、目标IP、端口号、协议及包进行过滤。
  • 命令:
    access-list 100 permit/deny 协议 源IP或源网段 反子网掩码 目标IP或目标网段 反子网掩码 [eq 端口号]
    协议:TCP/UDP/ICMP/IP
access-list permit tcp host 10.1.1.1 host 20.1.1.2 eq 80
access-list permit tcp host 10.1.1.1 20.1.1.0 0.0.0.255
access-list permit ip any any 
ACL原理
  • ACL表必须应用到接口的进或出方向才生效
  • 一个接口的一个方向只能应用一张表
  • 进还是出,取决于流量控制总方向
  • ACL表是严格自上而下检查每一条,注意书写顺序
  • 每一条是由条件和动作组成,当流量完全满足,当某流量没有满足条件,则继续检查下一条
  • 标准ACL要写在靠近目标的地方
  • 做流量控制,首先判断ACL写的位置(哪个路由器,哪个接口,哪个方向)
  • 再考虑如何写ACL
    • 首先判断最终要允许所有还是拒绝所有
    • 将严格控制的写在前面
  • 标准或扩展ACL一旦写好,无法修改某一条,无法删除某一条,也无法修改顺序,只能一直在最后面添加新条目,如想修改、插入或删除,只能删除整张表
  • 命名ACL:可以对标准或扩展ACL进行自定义命名,自定义命名更容易辨认,也便于记忆,可以任意修改、删除或插入某一条
#定义ACL条目
ip access-list standard/extended 自定义名称
开始从deny或permit编写ACL条目
exit
#删除ACL条目
no 条目ID
exit
#插入ACL条目
条目ID 动作 条目信息

实验一:
实验要求(使用标准ACL实现):
1.要求10网段禁止访问整个50网段,访问其他不受限
2.要求40.1.1.1PC禁止访问50网段,其他访问不受限
3.要求10.1.1.1禁止访问40网段,其他不受影响

实验文件下载

  1. 先将各PC的IP地址,子网掩码和网关配置好
  2. 设置好路由器名个接口IP
  3. 配置各个路由器的路由,实现各个网段互通
#Router0设置
Router>enable
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#interface fa0/0
Router(config-if)#ip addr 10.1.1.254 255.255.255.0
Router(config-if)#no shutdown

Router(config-if)#
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up

Router(config-if)#exit
Router(config)#interface fa0/1
Router(config-if)#ip addr 20.1.1.1 255.255.255.0
Router(config-if)#no shutdown

Router(config-if)#
%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up

Router(config-if)#do show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is not set

     10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C       10.1.1.0/24 is directly connected, FastEthernet0/0
L       10.1.1.254/32 is directly connected, FastEthernet0/0
     20.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C       20.1.1.0/24 is directly connected, FastEthernet0/1
L       20.1.1.1/32 is directly connected, FastEthernet0/1

Router(config-if)#exit
Router(config)#ip route 0.0.0.0 0.0.0.0 20.1.1.2
# --------Router1配置
Router>enable
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#interface fa1/0
Router(config-if)#ip addr 50.1.1.254 255.255.255.0
Router(config-if)#no shutdown

Router(config-if)#
%LINK-5-CHANGED: Interface FastEthernet1/0, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0, changed state to up

Router(config-if)#exit
Router(config)#interface fa0/0
Router(config-if)#ip addr 20.1.1.2 255.255.255.0
Router(config-if)#no shutdown

Router(config-if)#
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up

Router(config-if)#exit
Router(config)#interface fa0/1
Router(config-if)#ip addr 30.1.1.1 255.255.255.0
Router(config-if)#no shutdown

Router(config-if)#
%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up

Router(config-if)#
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up

Router(config-if)#exit
Router(config)#do show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is not set

     20.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C       20.1.1.0/24 is directly connected, FastEthernet0/0
L       20.1.1.2/32 is directly connected, FastEthernet0/0
     30.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C       30.1.1.0/24 is directly connected, FastEthernet0/1
L       30.1.1.1/32 is directly connected, FastEthernet0/1
     50.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C       50.1.1.0/24 is directly connected, FastEthernet1/0
L       50.1.1.254/32 is directly connected, FastEthernet1/0

Router(config)#ip route 10.1.1.0 255.255.255.0 20.1.1.1
Router(config)#ip route 40.1.1.0 255.255.255.0 30.1.1.2
#-------------Router2配置
Router>enable
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#interface fa0/1
Router(config-if)#ip addr 40.1.1.254 255.255.255.0
Router(config-if)#no shutdown

Router(config-if)#
%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up

Router(config-if)#exit
Router(config)#interface fa0/0
Router(config-if)#ip addr 30.1.1.2 255.255.255.0
Router(config-if)#no shutdown

Router(config-if)#
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up

Router(config-if)#exit
Router(config)#ip route 0.0.0.0 0.0.0.0 30.1.1.1
  1. 配置完成后,通过ping测试网段之间的连通
  2. 配置ACL
#Router1上配置ACL
Router(config)#access-list 50 deny 10.0.0.0 0.255.255.255
Router(config)#access-list 50 deny host 40.1.1.1
Router(config)#access-list 50 permit any
Router(config)#interface fa1/0
Router(config-if)#ip access-group 50 out
#查看ACL配置
Router(config)#do show access-list
Standard IP access list 50
    10 deny 10.0.0.0 0.255.255.255
    20 deny host 40.1.1.1
    30 permit any
#Router2上配置ACL
Router(config)#access-list 40 deny host 10.1.1.1
Router(config)#access-list 40 permit any
Router(config)#interface fa0/1
Router(config-if)#ip access-group 40 out

以上是关于网络安全学习--ACL的主要内容,如果未能解决你的问题,请参考以下文章

配置ACL访问控制列表

与 Pyramid 授权、__acl__ 和 RootFactory 混淆

学习进度表

Windows Azure 之 安全控制-ACL

201555332盛照宗—网络对抗实验1—逆向与bof基础

Cisco基础:配置标准ACL配置扩展ACL配置标准命名ACL配置扩展命名ACL