°­ÁÂ

HOME > °­ÁÂ >
°­ÁÂ| ¸®´ª½º ¹× ¿ÀǼҽº¿¡ °ü·ÃµÈ °­Á¸¦ º¸½Ç ¼ö ÀÖ½À´Ï´Ù.
 
Catalyst 3560 ACL(deny UDP)
Á¶È¸ : 11,728  


Catalyst 3560 ACL(deny UDP)

 

1. ACL Àº¹«¾ùÀΰ¡?

* Access Control List : Á¢±ÙÁ¦¾îÇ׸ñ
* ³×Æ®¿öÅ©(¼­ºê³Ý, IP ÁÖ¼Ò)¸¦ Á¤ÀÇÇϰųª, Á¤ÀÇÇÑ ³»¿ëÀ» ±Ù°Å·Î Æ®·¡ÇÈÀ» Á¦¾îÇÒ¶§»ç¿ëÇÔ
* Permit / Deny µÎ°¡Áö Command¸¦ »ç¿ëÇÔ
* »ç¿ë¿ëµµ : ÇÊÅ͸µ, ¹æÈ­º®, Æ®·¡ÇÈ Á¤ÀÇ
* Á¾·ù : Standard, Extended, Named Reflective, Dynamic, Mac, VLAN µî
* Layer 4 °èÃþ ±îÁö FlteringÀÌ °¡´ÉÇÔ.

2. ACL vs IPtables

* ACLÀÇ ¿ë¾î °³³ä»ó IPtales´Â ACLÀÌ´Ù. ¶ó¿ìÅÍ(½ºÀ§Ä¡)¿¡¼­ ACLÀº access-list Á¤Ã¥À» ¸»Çϸç,
 ÀÌ´Â IPtables ¿Í ´ëºÎºÐ µ¿ÀÏÇÑ ±â´ÉÀ» °¡Áö°í ÀÖ´Ù.

* ´Ù¸¥Á¡
Access-list : ´ë¿ªÆø Á¶ÀýÀ̰¡´É
Iptables : µ¿ÀÏ ÆÐŶ¿¡ ´ëÇÑ Á¢¼Ó Á¦ÇѵîÀ» ÅëÇØsyn °ø°Ý¹æ¾î , ¸ðµâÀ» ÅëÇÑ Ãß°¡ ¹æ¾î±â´É À» Ȱ¼ºÈ­ ÇÒ¼ö ÀÖ´Ù.
### chains to DROP too many SYN-s ######
/sbin/iptables -N syn-flood
/sbin/iptables -A syn-flood -m limit --limit 100/second --limit-burst 150 -j RETURN
/sbin/iptables -A syn-flood -j LOG --log-prefix "SYN flood: "
/sbin/iptables -A syn-flood -j DROP

3. ACLÀÇ ±âº»Á¤Ã¥

access-list´Â À­ÁÙºÎÅÍ Çϳª¾¿ Â÷·Ê·Î ¼öÇàµÈ´Ù.

access listÀÇ ¸Ç ¸¶Áö¸· line¿¡ "permit any"¸¦ ³ÖÁö ¾ÊÀ» °æ¿ì´Â
default·Î ¾î´À access list¿Íµµ match µÇÁö ¾ÊÀº ³ª¸ÓÁö ¸ðµç
address ´Â deny µÈ´Ù => ÀüºÎÂ÷´ÜµÈ´Ù!!

access listÀÇ »õ·Î¿î line Àº Ç×»ó ¸Ç ¸¶Áö¸·À¸·Î Ãß°¡µÇ¹Ç·Î
access-list line ÀǼ±ÅÃÀû Ãß°¡(selective add)³ª Á¦°Å(remove)°¡ ºÒ°¡´ÉÇÏ´Ù

interface¿¡ ´ëÇÑ access listÀÇ Á¤ÀÇ(define)°¡ µÇÁö ¾ÊÀº °æ¿ì
(Áï, interface¿¡ access-group ¸í·ÉÀÌ µé¾îÀÖÁö ¾ÊÀº °æ¿ì) °á°ú´Â permit any °¡ µÈ´Ù.

4. Standard Access List

route-map µî ´Ù¸¥ ÇÊÅ͸µÀ» »ç¿ëÇÏ¿© Æ®·¡ÇÈÀ» ÅëÁ¦ÇÒ ´ë»óÀ» ÁöÁ¤ÇÒ¶§ »ç¿ë
¹üÀ§ : 1 ~ 99
Ư¡ : Source Address¸¦ º¸°í Æ®·¡ÇÈÀ» ÅëÁ¦
Çü½Ä
   * access-list [1 ~ 99] [Permit / Deny] [Source address] [Source address W/M]
   * ÀÎÅÍÆäÀ̽º Àû¿ë : ip access-group [access-list-number] {in | out}

EX) Ãâ¹ßÁö ÁÖ¼Ò°¡ 10.1.1.0 ÀÎ Æ®·¡ÇÈÀº 20.1.1.0 / 24 ³×Æ®¿öÅ©·Î Åë½ÅÇÒ¼ö ¾ø´Ù.
10.1.1.0 / 24                                                  20.1.1.0 / 24
R1 [s0/1] ----------- [s 0/0] R2 [s0/1] --------- [s0/1] R3
                            [Fa 1/0] 30.1.1.0 / 24

R2
access-list 10 deny 10.1.1.0 0.0.0.255
access-list 10 permit any
!
interface serial 0/1
ip access-group 10 out
!

5. Extended Access List

½ºÅÄ´õµå ¾×¼¼½º ¸®½ºÆ®´Â Ãâ¹ßÁö ÁÖ¼Ò¸¸À» Á¦¾îÇÏ´Â ¹Ý¸é,
ÀͽºÅÙµðµå ¾×¼¼½º ¸®½ºÆ®´Â Ãâ¹ßÁö ÁÖ¼Ò¿Í ¸ñÀûÁö ÁÖ¼Ò ¸ðµÎ¸¦ Á¦¾î

½ºÅÄ´õµå ¾×¼¼¼­ ¸®½ºÆ®´Â Àüü TCP/IP¿¡ ´ëÇÑ Á¦¾î¸¸À» ÇÏ´Â ¹Ý¸é,
ÀͽºÅÙµðµå ¾×¼¼½º ¸®½ºÆ®´Â ip, tcp, udp, icmp µî ƯÁ¤ ÇÁ·ÎÅäÄÝÀ» ÁöÁ¤Çؼ­ Á¦¾îÇÒ ¼ö ÀÖ´Ù

½ºÅÄ´õµå ¾×¼­½º ¸®½ºÆ®´Â 1~99ÀÇ ¼ýÀÚ¸¦ Access-list ¹øÈ£·Î »ç¿ëÇϰí,
ÀͽºÅÙµðµå ¾×¼¼½º ¸®½ºÆ®´Â 100~199ÀÇ ¼ýÀÚ¸¦ Access-list ¹øÈ£·Î »ç¿ëÇÑ´Ù.

* Çü½Ä : access-list [100 ~ 199] [Permit / Deny] [Protocol Type][Source address] [Source address W/M] [Destination address] [Destination address W/M] eq [Port number]

EX1) R1ÀÇ Fa0/0 ¿¡ FTP Server 192.168.0.11 ÀÌ Á¸ÀçÇϰí ÀÖ´Ù. R1Àº 192.168.1.0 / 24 ³×Æ®¿öÅ© Æ®·¡ÇÈÀÌ Telnet Á¢¼ÓÇϴ°ÍÀ» Â÷´ÜÇÏ·Á°í ÇÑ´Ù.ÀÌ¿ÜÀÇ ³ª¸ÓÁö ¸ðµç Æ®·¡ÇÈÀº Çã¿ëµÈ´Ù.

access-list 100 deny tcp 192.168.1.0 0.0.0.255 host 210.114.75.11 eq 23 access-list 100 permit ip any any !

 

6. Catalyst 3560 ACL Àû¿ë

Vlan300 ¿¡ ÀÖ´Â 192.168.1.242 ¼­¹öÀÇ 80¹øÆ÷Æ®·Î µé¾î¿À´Â UDP Â÷´ÜÇϱâ

[root@sus100 ~]# telnet 111.111.111.111(catalyst 3560 ½ºÀ§Ä¡)
Trying 111.111.111.111...
Connected to 111.111.111.111 (111.111.111.111).
Escape character is '^]'.
User Access Verification
Password:
Switch>en
Password:
Switch#conf t
Enter configuration commands, one per line.? End with CNTL/Z.
Switch(config)#ip access-list extended UDP-DENY
Switch(config-ext-nacl)#deny udp any host 192.168.1.242 eq 80
Switch(config-ext-nacl)#permit ip any any
Switch(config)#interface vlan 300
Switch(config)#ip access-group UDP-DENY out

 

 

 


[¿ø±Û¸µÅ©] : https://www.linux.co.kr/home2/board/subbs/board.php?bo_table=lecture&wr_id=1653


ÀÌ ±ÛÀ» Æ®À§ÅÍ·Î º¸³»±â ÀÌ ±ÛÀ» ÆäÀ̽ººÏÀ¸·Î º¸³»±â ÀÌ ±ÛÀ» ¹ÌÅõµ¥ÀÌ·Î º¸³»±â

 
(ÁÖ) ¼öÆÛÀ¯Àú