网络安全学习ACL

ACL

• ACL(Access Control List)访问控制列表
• ACL是一种包过滤技术
  ACL基于IP包头的IP地址、四层TCP/UDP头部的端口号，基于三、四层过滤
• ACL在路由器上配置，也可在防火墙上配置(一般称为策略)

ACL分类

• 标准ACL
• 扩展ACL

标准ACL

• 表号：1-99
• 特点：只能基于源IP对包进行过滤
• 命令：
  反子网掩码：

• 将正子网掩码0和1倒置
• 作用：用来匹配，与0对应的需要严格匹配，与1对应的忽略

#该条目用于拒绝源IP以10开头的
access-list 1 deny 10.0.0.0 0.255.255.255
#拒绝所有源IP为10.1.1.1的主机
access-list 1 deny 10.1.1.1 0.0.0.0
access-list 1 deny host 10.1.1.1
#拒绝所有
access-list 1 deny 0.0.0.0 0.0.0.0
access-list 1 deny any
#查看ACL表
show ip access-list [表ID]
#将ACL应用至接口
interface fa0/x
ip access-group 表号 in/out
exit


扩展ACL

• 表号：100 - 199
• 特点：可以基于源IP、目标IP、端口号、协议及包进行过滤。
• 命令：
  access-list 100 permit/deny 协议 源IP或源网段 反子网掩码 目标IP或目标网段 反子网掩码 [eq 端口号]
  协议：TCP/UDP/ICMP/IP

access-list permit tcp host 10.1.1.1 host 20.1.1.2 eq 80
access-list permit tcp host 10.1.1.1 20.1.1.0 0.0.0.255
access-list permit ip any any


ACL原理

• ACL表必须应用到接口的进或出方向才生效
• 一个接口的一个方向只能应用一张表
• 进还是出，取决于流量控制总方向
• ACL表是严格自上而下检查每一条，注意书写顺序
• 每一条是由条件和动作组成，当流量完全满足，当某流量没有满足条件，则继续检查下一条
• 标准ACL要写在靠近目标的地方
• 做流量控制，首先判断ACL写的位置(哪个路由器，哪个接口，哪个方向)
• 再考虑如何写ACL
  • 首先判断最终要允许所有还是拒绝所有
  • 将严格控制的写在前面
• 标准或扩展ACL一旦写好，无法修改某一条，无法删除某一条，也无法修改顺序，只能一直在最后面添加新条目，如想修改、插入或删除，只能删除整张表
• 命名ACL：可以对标准或扩展ACL进行自定义命名，自定义命名更容易辨认，也便于记忆，可以任意修改、删除或插入某一条

#定义ACL条目
ip access-list standard/extended 自定义名称
开始从deny或permit编写ACL条目
exit
#删除ACL条目
no 条目ID
exit
#插入ACL条目
条目ID 动作 条目信息


实验一：
实验要求(使用标准ACL实现)：
1.要求10网段禁止访问整个50网段，访问其他不受限
2.要求40.1.1.1PC禁止访问50网段，其他访问不受限
3.要求10.1.1.1禁止访问40网段，其他不受影响

实验文件下载

1. 先将各PC的IP地址，子网掩码和网关配置好
2. 设置好路由器名个接口IP
3. 配置各个路由器的路由，实现各个网段互通

#Router0设置
Router>enable
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#interface fa0/0
Router(config-if)#ip addr 10.1.1.254 255.255.255.0
Router(config-if)#no shutdown
Router(config-if)#
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
Router(config-if)#exit
Router(config)#interface fa0/1
Router(config-if)#ip addr 20.1.1.1 255.255.255.0
Router(config-if)#no shutdown
Router(config-if)#
%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
Router(config-if)#do show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.1.1.0/24 is directly connected, FastEthernet0/0
L 10.1.1.254/32 is directly connected, FastEthernet0/0
20.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 20.1.1.0/24 is directly connected, FastEthernet0/1
L 20.1.1.1/32 is directly connected, FastEthernet0/1
Router(config-if)#exit
Router(config)#ip route 0.0.0.0 0.0.0.0 20.1.1.2
# --------Router1配置
Router>enable
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#interface fa1/0
Router(config-if)#ip addr 50.1.1.254 255.255.255.0
Router(config-if)#no shutdown
Router(config-if)#
%LINK-5-CHANGED: Interface FastEthernet1/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0, changed state to up
Router(config-if)#exit
Router(config)#interface fa0/0
Router(config-if)#ip addr 20.1.1.2 255.255.255.0
Router(config-if)#no shutdown
Router(config-if)#
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
Router(config-if)#exit
Router(config)#interface fa0/1
Router(config-if)#ip addr 30.1.1.1 255.255.255.0
Router(config-if)#no shutdown
Router(config-if)#
%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up
Router(config-if)#
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
Router(config-if)#exit
Router(config)#do show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
20.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 20.1.1.0/24 is directly connected, FastEthernet0/0
L 20.1.1.2/32 is directly connected, FastEthernet0/0
30.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 30.1.1.0/24 is directly connected, FastEthernet0/1
L 30.1.1.1/32 is directly connected, FastEthernet0/1
50.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 50.1.1.0/24 is directly connected, FastEthernet1/0
L 50.1.1.254/32 is directly connected, FastEthernet1/0
Router(config)#ip route 10.1.1.0 255.255.255.0 20.1.1.1
Router(config)#ip route 40.1.1.0 255.255.255.0 30.1.1.2
#-------------Router2配置
Router>enable
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#interface fa0/1
Router(config-if)#ip addr 40.1.1.254 255.255.255.0
Router(config-if)#no shutdown
Router(config-if)#
%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
Router(config-if)#exit
Router(config)#interface fa0/0
Router(config-if)#ip addr 30.1.1.2 255.255.255.0
Router(config-if)#no shutdown
Router(config-if)#
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
Router(config-if)#exit
Router(config)#ip route 0.0.0.0 0.0.0.0 30.1.1.1


4. 配置完成后,通过ping测试网段之间的连通
   
5. 配置ACL

#Router1上配置ACL
Router(config)#access-list 50 deny 10.0.0.0 0.255.255.255
Router(config)#access-list 50 deny host 40.1.1.1
Router(config)#access-list 50 permit any
Router(config)#interface fa1/0
Router(config-if)#ip access-group 50 out
#查看ACL配置
Router(config)#do show access-list
Standard IP access list 50
10 deny 10.0.0.0 0.255.255.255
20 deny host 40.1.1.1
30 permit any
#Router2上配置ACL
Router(config)#access-list 40 deny host 10.1.1.1
Router(config)#access-list 40 permit any
Router(config)#interface fa0/1
Router(config-if)#ip access-group 40 out