반응형
1. 문법
-
일반적인 형태
Router(config)#access-list access-list-number {permit | deny} {protcol | protocol-keyword} {source-wildcard | any}
{destination-wildcard | any} {protocol-options} -
ICMP Protocol에 대한 Extended Access List
Router(config)#access-list access-list-number {permit | deny} icmp {source wildcard | any} {destination wildcard | any}
{destination wildcard | any} [icmp-type[icmp-code] | icmp-message] -
TCP Protocol에 대한 Extended Access List
Router(config)#access-list access-list-number {permit | deny} tcp {source wildcard | any } [operator source-port |source-port]
{destination woldcard | any} [poerator destination-port | destination-port] [established]
- tcp port number 혹은 keyword로 제어가능
- “established”가 지원되는 것이 특징 -
UDP Protocol에 대한 Extended Access List
Router(config)#access-list access-list-number {permit | deny} udp {source wildcard | any} [ operator source-port | source-port]
{destination wildcard | any} [operator destination-port | destination-port]
- udp port 혹은 keyword로 제어가능
- ‘edtablished’가 지원되지 않음
2. 예제
.gif)
|
192.168.1.0 네트워크에 있는 서버A (192.168.1.11)에 Telnet 만을 제외하고 모든 TCP Access를 막는다. 192.168.3.0 에서는 192.168.5.0 에 Access할 수 없다. 192.168.1.0과 192.168.5.0 네트워크는 상호 통신 가능해야 한다. |
RouterA# config t
RouterA(config)# access-list 100 deny tcp any host 192.168.1.11 eq telent
RouterA(config)# access-list 100 deny ip 192.168.3.0 0.0.0.255 192.168.5.0 0.0.0.255
RouterA(config)# access-list 100 permit ip any any
RouterA(config)# interface serial 0
RouterA(config-if)# ip access-group 100 in
RouterC# config t
RouterC(config)# interface serial 0
RouterC(config-if)# ip access-group 100 in
3. FAQ
3-1) 외부에서 내부네트웍에 대해 Telnet 안되도록 설정하는 방법
Router#config t
Router(config)#access-list 100 permit tcp any any established
Router(config)#access-list 100 permit tcp 203.255.113.0 0.0.0.255 any eq telnet
Router(config)#access-list 100 deny tcp any any eq telnet
Router(config)#access-list 100 permit ip any any
Router(config)#^Z
Router#config t
Router(config)#int s0
Router(config-if)#ip access-group 100 in
Router(config-if)#^Z
3-2) 외부에서 내부로 들어오는 백오리피스 포트 막는 방법
Interface Serial0
Ip access-group 119 in
Access-list 119 permit tcp any any established
Access-list 119 deny tcp any any eq 31337
Access-list 119 deny udp any any eq 31337
Access-list 119 permit ip any any
3-3) 외부에서 내부로 공유폴더 access 안되게 하는 방법
Interface Serial0
ip access-group 119 in
Access-list 119 permit tcp any any established
Access-list 119 deny udp any any eq netbios-ns
Access-list 119 deny udp any any eq netbios-dgm
Access-list 119 deny tcp any any eq 139
Access-list 119 permit ip any any
3-4) 외부에서 라우터 Telnet, Ping 등 제한하는 방법
interface Serial0
ip address 203.231.89.34 255.255.255.252
ip access-group 102 in
encapsulation ppp
!
access-list 101 deny tcp any any eq telnet
access-list 101 deny tcp any any eq discard
access-list 102 deny icmp any host 203.227.80.180
access-list 102 deny icmp any host 203.231.89.34
access-list 102 deny udp any host 203.231.89.34 eq time
access-list 102 deny udp any host 203.227.80.180 eq time
access-list 102 deny udp any host 203.231.89.34 eq tftp
access-list 102 deny udp any host 203.227.80.180 eq tftp
access-list 102 deny udp any host 203.227.80.180 eq snmp
access-list 102 deny udp any host 203.231.89.34 eq snmp
access-list 102 deny icmp any host 203.227.80.181
access-list 102 permit ip any any
line vty 0 4
access-class 101 in
password wooju
login
3-5) 가변포트에 대한 필터링 하는 방법(소리바다 : 9000~9999)
Router(config)#access-list 100 permit tcp any any established
Router(config)#access-list 100 deny tcp any any range 9000 9999
Router(config)#access-list 100 deny udp any any range 9000 9999
Router(config)#access-list 100 permit ip any any
Router(config)#int s0
Router(config-if)#ip access-group 100 in
반응형