Filtering IP Packets on Router Interfaces with Extended Access Lists

最新推荐文章于 2019-07-09 11:47:00 发布
最新推荐文章于 2019-07-09 11:47:00 发布
阅读量757 收藏
点赞数
CC 4.0 BY-SA版权
分类专栏: 我的网络技术 文章标签: access internet network tcp interface list
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.youkuaiyun.com/xiaofam/article/details/1053505
本文介绍了一种通过配置路由器上的扩展访问控制列表(ACL),来允许特定ICMP和TCP流量进入内部网络的方法。该设置允许从互联网接收错误报告,并允许响应内部发起连接的TCP数据包及SMTP服务的流量。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >

Suppose a router is connected to an "internal" Ethernet network and also has a link to the Internet via its serial 0 interface. The internal Ethernet network is the Class B network 131.108.0.0. You want to allow Internet Control Message Protocol (ICMP) messages in from the Internet to the Ethernet network for error-reporting purposes. You also want to allow TCP packets in from the Internet if they are destined to the Simple Mail Transport Protocol (SMTP) port of host 131.108.15.1 or if they are destined to ports greater that 1023 (this setup will allow TCP packets that are in response to connections generated from the internal network). This setup can be accomplished with the following extended access list:

access-list 177 permit tcp 0.0.0.0 255.255.255.255 131.108.0.0 0.0.255.255    gt 1023
access-list 177 permit tcp 0.0.0.0 255.255.255.255 131.108.15.1 0.0.0.0 eq    25
access-list 177 permit icmp 0.0.0.0 255.255.255.255 131.108.0.0 0.0.255.255
 
interface s 0
ip address 207.200.115.6 255.255.255.252
ip access-group 177 in

This access list could also be written as:

access-list 177 permit tcp any 131.108.0.0 0.0.255.255 gt 1023
access-list 177 permit tcp any host 131.108.15.1 eq smtp
access-list 177 permit icmp any 131.108.0.0 0.0.255.255

We could also accomplish the same thing with the following standard named access list:

ip access-list extended filter-in
permit tcp any 131.108.0.0 0.0.255.255 gt 1023
permit tcp any host 131.108.15.1 eq smtp
permit icmp any 131.108.0.0 0.0.255.255
 
interface s 0
ip address 207.200.115.6 255.255.255.252
ip access-group filter-in in 
Chrome的启动参数
Criss@陈磊
02-23 5547
List of Chromium Command Line Switches Condition Explanation --[1]⊗ Classic, non-material, mode for the |kTopChromeMD| switch.↪ --0⊗ Value of the --profiler-timing flag that will disable timin...
CCNP350-401学习笔记(易错题合集)
shuyan1115的博客
03-01 1162
CCNP350-401学习笔记(易错题合集)
Understadning Cisco Access-Lists on Switches: PACL, VACL, RACL and MACL
Cyber Security Memo
12-31 132
(adsbygoogle = window.adsbygoogle || []).push({}); This ‘ACLs on Switches’ diagram shows PACL, VACL and RACL location and traffic direction on switch. It is clear and easy understanding. ...
Install LEDE on a BT Home Hub 5 / Plusnet One Router
weixin_30617797的博客
07-09 1125
Overview / Purpose of this guide These instructions are for aimed at users of Windows but a lot of the information will work for other OS users. I wrote these instructions just to clear few things u...
Configuring IP Uplink Redirect on Catalyst 2948G-L3 Switches
blakegao的专栏
09-15 1324
Introduction This document provides a sample configuration for the IP uplink redirect feature on the Catalyst 2948G-L3 switch. Enabling IP uplink redirect restricts devices connected to the Fast Ethe
Improving Security on Cisco Routers
gotonet的专栏
10-29 809
IntroductionThis document is an informal discussion of some Cisco configuration settings that network administrators should consider changing on their routers, especially on their border routers, in o
Juniper show interfaces
achejq的专栏
05-07 2920
show interfaces Syntax show interfaces ge-fpc/pic/port<brief | detail | extensive | terse>snmp-index> Release Information Command introduced in JUNOS Release 9.0 for EX-series switches
CCNA 4 Chapter 5
Microblue(严 武)
11-08 2032
Refer to the exhibit. The network administrator applied an ACL outbound on S0/0/0 on router R1. Immediately after the administrator did so, the users on network 172.22.30.0/24 started complaining
Linux and Unix ip command
奔跑的路
06-01 1376
Linux and Unix ip command Quick links About ip Syntax Examples Related commands Linux and Unix main page About ip Show and manipulate routing, devices, policy routing and tunnels. Synta
cisco ACL
thmono的学习笔记
03-08 2644
Home | Skip to Content | Skip to Navigation | Skip to Footer  Worldwide [change] Log In |Account |Register |About Cisco Solutions    Products & Services    Ordering    Support    Training & Even
linux实现有态防火墙及IP转发方案
weixin_33682790的博客
02-03 284
内核配置,第 1 部分安装之后,应该有一个 "iptables" 命令可供使用,还有一个方便的 iptables 帮助页面("man iptables")。好;现在只需要确保已在内核中构建了必需的功能。本教程假设您编译自己的内核。进入 /usr/src/linux,输入 "make menuconfig" 或 "make xconfig";我们将启用一些内核网络功能。内核...
Cisco Press - OSPF Network Design Solutions, 2nd Edition
10-03
Distribute Lists and OSPF 398 Chapter Summary 403 0323FMf.book Page xii Wednesday, March 12, 2003 9:41 AM xiii Chapter 7 Summarization with OSPF 405 Summarization with OSPF 406 Benefits of ...
CISCO R&S CCIE TREE
LinuxKernelCiscoIOS的博客
01-16 928
CISCO R&S CCIE TREE CISCO-CCIE-Theory-Architecture
网关的定义
xiaofam's dream
04-30 5711
 以前看书的时候也有点疑问,现在在网上论坛上看到的关于这个的讨论,都可以说是茅塞顿开了~~可以概括的说:网关是一个非常广泛的概念,我们很难给出一个确切的定义。从第一层到第七层都可以有网关设备出现。我们通常所说的网关主要是指第三层的设备,即路由器。关于网关是工作在某几层的观点是不正确的,过于教条主义,而缺少对事物本质的了解。譬如说应用网关,一个应用网关的具体设备确实会
单臂路由!!!!终于搞定你了,,,
xiaofam's dream
08-20 5570
终于搞定了路由+交换机 的单臂路由了,,气死我了,一样的配置,,用那两个模拟器,竟连有的命令都不支持,,郁闷,,C2900交换机:switch>enswitch#conf tEnter configuration commands, one per line.  End with CNTL/Z.switch(config)#exitswitch#vlan databaseswitch(vlan
Vlan在园区网中的应用,配置
xiaofam's dream
08-14 3670
 随着网络硬件性能的不断提高、成本的不断降低,目前新建立的校园网基本上都采用了性能先进的千兆网技术,其核心交换机采用三层交换机,它能很好地支持虚拟局域网(VLAN)技术,虚拟网络技术打破了地理环境的制约,在不改动网络物理连接的情况下可以任意将工作站在工作组或子网之间移动,工作站组成逻辑工作组或虚拟子网,提高信息系统的运作性能,均衡网络数据流量,合理利用硬件及信息资源。同时,利用虚拟网络技术
关于boson 6.0 final bata和routersim network visualizer 5.0
xiaofam's dream
08-14 2198
不知道什么是不是BOSON是FINAL BATA版的缘故,在这里配置的一些实验,很多不成功的,但是拿到 routersim network visualizer 5.0又可以成功??有时候,在BOSON里花了一整天去研究,出错在哪里,总是找不到原因,但把同样的配置拿到后者那里,确是一下子就成功了,有时候还真是百思不得其解,是他们的IOS VERSION 的原因?相对于这么简单的来说,应该不会啊
关于ACCESS-LIST的一个实验
xiaofam's dream
08-12 2110
图:The requirement is to create an access list on Router_D that will allow the host on the inside (Router_B) to ping and Telnet to Router_F or Router_E on the outside. However, Router_E on the outsid
网络工程师考试备考-数据通信基础[1]-转贴
xiaofam's dream
04-30 1607
  一、数据通信的构成原理、交换方式及适用范围       1.数据通信的构成原理    DTE是数据终端。数据终端有分组型终端(PT)和非分组型终端(NPT)两大类。分组型终端有计算机、数字传真机、智能用户电报终端(TeLetex)、用户分组装拆设备(PAD)、用户分组交换机、专用电话交换机(PABX)、可视图文接入设备(VAP)、局域网(LAN)等各种专用终端设备;非分组型终端有个
ip access-list extended acl
03-29
An IP access-list extended (ACL) is a type of access control list used in network security to filter network traffic based on various criteria such as source and destination IP addresses, protocols, ...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值