使用访问控制列表预防IP地址欺骗(IP Address Spoofing Prevention with ACLs)
生活随笔
收集整理的這篇文章主要介紹了
使用访问控制列表预防IP地址欺骗(IP Address Spoofing Prevention with ACLs)
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
【實驗說明】
配置路由器預防IP地址欺騙? 【實驗拓撲】
IOS:c2691-advsecurityk9-mz.124-11.T2.bin
?
【實驗配置步驟】?
- 在網關的outside過濾RFC1918、RFC3300 網絡
- 在網關的入方向過濾RFC2627網絡
- 也就是說,在內部只能是出現我們的網絡,在外部不能出現源地址為我們的網絡
- 過濾icmp重定向信息,禁用 IP source routing
- 不要在內網口上阻止source address 0.0.0.0 ,因為 DHCP 經常使用它來發送請求
- 配置網絡為 “Standard NAT Configuration”.
- 創建 extended access-list OUTSIDE_IN
- 創建 extended access-list INSIDE_IN
- 應用access-list INSIDE_IN 到網關的內網口的入方向
- 應用access-list OUTSIDE_IN到網關的外網口的入方向
? 【實驗配置】 R4: no ip source-route ! ip access-list extended OUTSIDE_IN ! remark == Redirects may be used for spoofing deny icmp any any redirect ! remark == RFC 1918 deny ip 10.0.0.0 0.255.255.255 any deny ip 172.16.0.0 0.15.255.255 any deny ip 192.168.0.0 0.0.255.255 any ! remark == RFC 3330 deny ip host 0.0.0.0 any deny ip 224.0.0.0 31.255.255.255 any deny ip 127.0.0.0 0.255.255.255 any deny ip 169.254.0.0 0.0.255.255 any deny ip 192.0.2.0 0.0.0.255 any ! remark == RFC 2627 deny ip 150.1.4.0 0.0.0.255 any ! permit ip any any ! ip access-list extended INSIDE_IN deny icmp any any redirect permit ip 10.0.0.0 0.0.0.255 any permit udp host 0.0.0.0 host 10.0.0.4 eq bootps deny ip any any log interface Fastethernet 0/0 ip access-group INSIDE_IN in ! interface Serial 0/1 ip access-group OUTSIDE_IN in ! interface Serial 0/0.1 ip access-group OUTSIDE_IN in
【Configuring Static NAT配置】
| R1: interface FastEthernet0/0 ip address 10.0.0.1 255.255.255.0 ip route 0.0.0.0 0.0.0.0 10.0.0.4 ? R6: interface FastEthernet0/0 ip address 10.0.0.6 255.255.255.0 ip route 0.0.0.0 0.0.0.0 10.0.0.4 R4: interface Loopback0 ip address 150.1.4.4 255.255.255.0 ip ospf network point-to-point ! interface FastEthernet0/0 ip address 10.0.0.4 255.255.255.0 ip nat inside ! interface Serial0/0 en fram no sh ! interface Serial0/0.1 point-to-point ip address 155.1.0.4 255.255.255.0 frame-relay interface-dlci 405 ip nat outside ! interface Serial0/1 ip address 155.1.45.4 255.255.255.0 clock rate 2000000 ip nat outside ! router ospf 1 router-id 150.1.4.4 network 150.1.4.4 0.0.0.0 area 0 network 155.1.0.4 0.0.0.0 area 0 network 155.1.45.4 0.0.0.0 area 0 ! router bgp 1 bgp router-id 150.1.4.4 neighbor 150.1.5.5 remote-as 2 neighbor 150.1.5.5 ebgp-multihop 255 neighbor 150.1.5.5 update-source Loopback0 ? ip nat inside source static 10.0.0.1 150.1.4.1 ip nat inside source static 10.0.0.6 150.1.4.6 | R5: interface Loopback0 ip address 150.1.5.5 255.255.255.0 ip ospf network point-to-point ! interface Serial0/0 encapsulation frame-relay ! interface Serial0/0.1 point-to-point ip address 155.1.0.5 255.255.255.0 frame-relay interface-dlci 504 ! interface Serial0/1 ip address 155.1.45.5 255.255.255.0 clock rate 2000000 ! router ospf 1 router-id 150.1.5.5 network 150.1.5.5 0.0.0.0 area 0 network 155.1.0.5 0.0.0.0 area 0 network 155.1.45.5 0.0.0.0 area 0 ! router bgp 2 bgp router-id 150.1.5.5 neighbor 150.1.4.4 remote-as 1 neighbor 150.1.4.4 ebgp-multihop 255 neighbor 150.1.4.4 update-source Loopback0 neighbor 150.1.4.4 default-originate |
? 【實驗驗證】 R4#sho ip access-lists Standard IP access list INSIDE_NETWORK 10 permit 10.0.0.0, wildcard bits 0.0.0.255 Extended IP access list INSIDE_IN 10 deny icmp any any redirect 20 permit ip 10.0.0.0 0.0.0.255 any 30 permit udp host 0.0.0.0 host 10.0.0.4 eq bootps 40 deny ip any any log Extended IP access list OUTSIDE_IN 10 deny icmp any any redirect 20 deny ip 10.0.0.0 0.255.255.255 any 30 deny ip 172.16.0.0 0.15.255.255 any 40 deny ip 192.168.0.0 0.0.255.255 any 50 deny ip host 0.0.0.0 any 60 deny ip 224.0.0.0 31.255.255.255 any 70 deny ip 127.0.0.0 0.255.255.255 any 80 deny ip 169.254.0.0 0.0.255.255 any 90 deny ip 192.0.2.0 0.0.0.255 any 100 deny ip 150.1.4.0 0.0.0.255 any 110 permit ip any any (26 matches)
轉載于:https://blog.51cto.com/haolun/991678
總結
以上是生活随笔為你收集整理的使用访问控制列表预防IP地址欺骗(IP Address Spoofing Prevention with ACLs)的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: extmail集群的邮件负载均衡方案 [
- 下一篇: Hyper-V 内存管理必须知道的