Filtering IP Packets on Router Interfaces with Extended Access Lists

本文介绍了一种通过配置路由器上的扩展访问控制列表(ACL),来允许特定ICMP和TCP流量进入内部网络的方法。该设置允许从互联网接收错误报告,并允许响应内部发起连接的TCP数据包及SMTP服务的流量。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >

Suppose a router is connected to an "internal" Ethernet network and also has a link to the Internet via its serial 0 interface. The internal Ethernet network is the Class B network 131.108.0.0. You want to allow Internet Control Message Protocol (ICMP) messages in from the Internet to the Ethernet network for error-reporting purposes. You also want to allow TCP packets in from the Internet if they are destined to the Simple Mail Transport Protocol (SMTP) port of host 131.108.15.1 or if they are destined to ports greater that 1023 (this setup will allow TCP packets that are in response to connections generated from the internal network). This setup can be accomplished with the following extended access list:

access-list 177 permit tcp 0.0.0.0 255.255.255.255 131.108.0.0 0.0.255.255    gt 1023
access-list 177 permit tcp 0.0.0.0 255.255.255.255 131.108.15.1 0.0.0.0 eq    25
access-list 177 permit icmp 0.0.0.0 255.255.255.255 131.108.0.0 0.0.255.255
 
interface s 0
ip address 207.200.115.6 255.255.255.252
ip access-group 177 in

This access list could also be written as:

access-list 177 permit tcp any 131.108.0.0 0.0.255.255 gt 1023
access-list 177 permit tcp any host 131.108.15.1 eq smtp
access-list 177 permit icmp any 131.108.0.0 0.0.255.255

We could also accomplish the same thing with the following standard named access list:

ip access-list extended filter-in
permit tcp any 131.108.0.0 0.0.255.255 gt 1023
permit tcp any host 131.108.15.1 eq smtp
permit icmp any 131.108.0.0 0.0.255.255
 
interface s 0
ip address 207.200.115.6 255.255.255.252
ip access-group filter-in in 
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值