网络安全学习--ACL
Posted 丢爸
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了网络安全学习--ACL相关的知识,希望对你有一定的参考价值。
ACL
- ACL(Access Control List)访问控制列表
- ACL是一种包过滤技术
ACL基于IP包头的IP地址、四层TCP/UDP头部的端口号,基于三、四层过滤 - ACL在路由器上配置,也可在防火墙上配置(一般称为策略)
ACL分类
- 标准ACL
- 扩展ACL
标准ACL
- 表号:1-99
- 特点:只能基于源IP对包进行过滤
- 命令:
反子网掩码:
- 将正子网掩码0和1倒置
- 作用:用来匹配,与0对应的需要严格匹配,与1对应的忽略
#该条目用于拒绝源IP以10开头的
access-list 1 deny 10.0.0.0 0.255.255.255
#拒绝所有源IP为10.1.1.1的主机
access-list 1 deny 10.1.1.1 0.0.0.0
access-list 1 deny host 10.1.1.1
#拒绝所有
access-list 1 deny 0.0.0.0 0.0.0.0
access-list 1 deny any
#查看ACL表
show ip access-list [表ID]
#将ACL应用至接口
interface fa0/x
ip access-group 表号 in/out
exit
扩展ACL
- 表号:100 - 199
- 特点:可以基于源IP、目标IP、端口号、协议及包进行过滤。
- 命令:
access-list 100 permit/deny 协议 源IP或源网段 反子网掩码 目标IP或目标网段 反子网掩码 [eq 端口号]
协议:TCP/UDP/ICMP/IP
access-list permit tcp host 10.1.1.1 host 20.1.1.2 eq 80
access-list permit tcp host 10.1.1.1 20.1.1.0 0.0.0.255
access-list permit ip any any
ACL原理
- ACL表必须应用到接口的进或出方向才生效
- 一个接口的一个方向只能应用一张表
- 进还是出,取决于流量控制总方向
- ACL表是严格自上而下检查每一条,注意书写顺序
- 每一条是由条件和动作组成,当流量完全满足,当某流量没有满足条件,则继续检查下一条
- 标准ACL要写在靠近目标的地方
- 做流量控制,首先判断ACL写的位置(哪个路由器,哪个接口,哪个方向)
- 再考虑如何写ACL
- 首先判断最终要允许所有还是拒绝所有
- 将严格控制的写在前面
- 标准或扩展ACL一旦写好,无法修改某一条,无法删除某一条,也无法修改顺序,只能一直在最后面添加新条目,如想修改、插入或删除,只能删除整张表
- 命名ACL:可以对标准或扩展ACL进行自定义命名,自定义命名更容易辨认,也便于记忆,可以任意修改、删除或插入某一条
#定义ACL条目
ip access-list standard/extended 自定义名称
开始从deny或permit编写ACL条目
exit
#删除ACL条目
no 条目ID
exit
#插入ACL条目
条目ID 动作 条目信息
实验一:
实验要求(使用标准ACL实现):
1.要求10网段禁止访问整个50网段,访问其他不受限
2.要求40.1.1.1PC禁止访问50网段,其他访问不受限
3.要求10.1.1.1禁止访问40网段,其他不受影响
- 先将各PC的IP地址,子网掩码和网关配置好
- 设置好路由器名个接口IP
- 配置各个路由器的路由,实现各个网段互通
#Router0设置
Router>enable
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#interface fa0/0
Router(config-if)#ip addr 10.1.1.254 255.255.255.0
Router(config-if)#no shutdown
Router(config-if)#
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
Router(config-if)#exit
Router(config)#interface fa0/1
Router(config-if)#ip addr 20.1.1.1 255.255.255.0
Router(config-if)#no shutdown
Router(config-if)#
%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
Router(config-if)#do show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.1.1.0/24 is directly connected, FastEthernet0/0
L 10.1.1.254/32 is directly connected, FastEthernet0/0
20.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 20.1.1.0/24 is directly connected, FastEthernet0/1
L 20.1.1.1/32 is directly connected, FastEthernet0/1
Router(config-if)#exit
Router(config)#ip route 0.0.0.0 0.0.0.0 20.1.1.2
# --------Router1配置
Router>enable
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#interface fa1/0
Router(config-if)#ip addr 50.1.1.254 255.255.255.0
Router(config-if)#no shutdown
Router(config-if)#
%LINK-5-CHANGED: Interface FastEthernet1/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0, changed state to up
Router(config-if)#exit
Router(config)#interface fa0/0
Router(config-if)#ip addr 20.1.1.2 255.255.255.0
Router(config-if)#no shutdown
Router(config-if)#
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
Router(config-if)#exit
Router(config)#interface fa0/1
Router(config-if)#ip addr 30.1.1.1 255.255.255.0
Router(config-if)#no shutdown
Router(config-if)#
%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up
Router(config-if)#
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
Router(config-if)#exit
Router(config)#do show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
20.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 20.1.1.0/24 is directly connected, FastEthernet0/0
L 20.1.1.2/32 is directly connected, FastEthernet0/0
30.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 30.1.1.0/24 is directly connected, FastEthernet0/1
L 30.1.1.1/32 is directly connected, FastEthernet0/1
50.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 50.1.1.0/24 is directly connected, FastEthernet1/0
L 50.1.1.254/32 is directly connected, FastEthernet1/0
Router(config)#ip route 10.1.1.0 255.255.255.0 20.1.1.1
Router(config)#ip route 40.1.1.0 255.255.255.0 30.1.1.2
#-------------Router2配置
Router>enable
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#interface fa0/1
Router(config-if)#ip addr 40.1.1.254 255.255.255.0
Router(config-if)#no shutdown
Router(config-if)#
%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
Router(config-if)#exit
Router(config)#interface fa0/0
Router(config-if)#ip addr 30.1.1.2 255.255.255.0
Router(config-if)#no shutdown
Router(config-if)#
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
Router(config-if)#exit
Router(config)#ip route 0.0.0.0 0.0.0.0 30.1.1.1
- 配置完成后,通过ping测试网段之间的连通
- 配置ACL
#Router1上配置ACL
Router(config)#access-list 50 deny 10.0.0.0 0.255.255.255
Router(config)#access-list 50 deny host 40.1.1.1
Router(config)#access-list 50 permit any
Router(config)#interface fa1/0
Router(config-if)#ip access-group 50 out
#查看ACL配置
Router(config)#do show access-list
Standard IP access list 50
10 deny 10.0.0.0 0.255.255.255
20 deny host 40.1.1.1
30 permit any
#Router2上配置ACL
Router(config)#access-list 40 deny host 10.1.1.1
Router(config)#access-list 40 permit any
Router(config)#interface fa0/1
Router(config-if)#ip access-group 40 out
以上是关于网络安全学习--ACL的主要内容,如果未能解决你的问题,请参考以下文章