Catalyst 3560 ACL(deny UDP)
1. ACL Àº¹«¾ùÀΰ¡?
* Access Control List : Á¢±ÙÁ¦¾îÇ׸ñ
* ³×Æ®¿öÅ©(¼ºê³Ý, IP ÁÖ¼Ò)¸¦ Á¤ÀÇÇϰųª, Á¤ÀÇÇÑ ³»¿ëÀ» ±Ù°Å·Î Æ®·¡ÇÈÀ» Á¦¾îÇÒ¶§»ç¿ëÇÔ
* Permit / Deny µÎ°¡Áö Command¸¦ »ç¿ëÇÔ
* »ç¿ë¿ëµµ : ÇÊÅ͸µ, ¹æȺ®, Æ®·¡ÇÈ Á¤ÀÇ
* Á¾·ù : Standard, Extended, Named Reflective, Dynamic, Mac, VLAN µî
* Layer 4 °èÃþ ±îÁö FlteringÀÌ °¡´ÉÇÔ.
2. ACL vs IPtables
* ACLÀÇ ¿ë¾î °³³ä»ó IPtales´Â ACLÀÌ´Ù. ¶ó¿ìÅÍ(½ºÀ§Ä¡)¿¡¼ ACLÀº access-list Á¤Ã¥À» ¸»Çϸç,
ÀÌ´Â IPtables ¿Í ´ëºÎºÐ µ¿ÀÏÇÑ ±â´ÉÀ» °¡Áö°í ÀÖ´Ù.
* ´Ù¸¥Á¡
Access-list : ´ë¿ªÆø Á¶ÀýÀÌ°¡´É
Iptables : µ¿ÀÏ ÆÐŶ¿¡ ´ëÇÑ Á¢¼Ó Á¦ÇѵîÀ» ÅëÇØsyn °ø°Ý¹æ¾î , ¸ðµâÀ» ÅëÇÑ Ãß°¡ ¹æ¾î±â´É À» È°¼ºÈ ÇÒ¼ö ÀÖ´Ù.
### chains to DROP too many SYN-s ######
/sbin/iptables -N syn-flood
/sbin/iptables -A syn-flood -m limit --limit 100/second --limit-burst 150 -j RETURN
/sbin/iptables -A syn-flood -j LOG --log-prefix "SYN flood: "
/sbin/iptables -A syn-flood -j DROP
3. ACLÀÇ ±âº»Á¤Ã¥
access-list´Â ÀÁÙºÎÅÍ Çϳª¾¿ Â÷·Ê·Î ¼öÇàµÈ´Ù.
access listÀÇ ¸Ç ¸¶Áö¸· line¿¡ "permit any"¸¦ ³ÖÁö ¾ÊÀ» °æ¿ì´Â
default·Î ¾î´À access list¿Íµµ match µÇÁö ¾ÊÀº ³ª¸ÓÁö ¸ðµç
address ´Â deny µÈ´Ù => ÀüºÎÂ÷´ÜµÈ´Ù!!
access listÀÇ »õ·Î¿î line Àº Ç×»ó ¸Ç ¸¶Áö¸·À¸·Î Ãß°¡µÇ¹Ç·Î
access-list line ÀǼ±ÅÃÀû Ãß°¡(selective add)³ª Á¦°Å(remove)°¡ ºÒ°¡´ÉÇÏ´Ù
interface¿¡ ´ëÇÑ access listÀÇ Á¤ÀÇ(define)°¡ µÇÁö ¾ÊÀº °æ¿ì
(Áï, interface¿¡ access-group ¸í·ÉÀÌ µé¾îÀÖÁö ¾ÊÀº °æ¿ì) °á°ú´Â permit any °¡ µÈ´Ù.
4. Standard Access List
route-map µî ´Ù¸¥ ÇÊÅ͸µÀ» »ç¿ëÇÏ¿© Æ®·¡ÇÈÀ» ÅëÁ¦ÇÒ ´ë»óÀ» ÁöÁ¤ÇÒ¶§ »ç¿ë
¹üÀ§ : 1 ~ 99
Ư¡ : Source Address¸¦ º¸°í Æ®·¡ÇÈÀ» ÅëÁ¦
Çü½Ä
* access-list [1 ~ 99] [Permit / Deny] [Source address] [Source address W/M]
* ÀÎÅÍÆäÀ̽º Àû¿ë : ip access-group [access-list-number] {in | out}
EX) Ãâ¹ßÁö ÁÖ¼Ò°¡ 10.1.1.0 ÀÎ Æ®·¡ÇÈÀº 20.1.1.0 / 24 ³×Æ®¿öÅ©·Î Åë½ÅÇÒ¼ö ¾ø´Ù.
10.1.1.0 / 24 20.1.1.0 / 24
R1 [s0/1] ----------- [s 0/0] R2 [s0/1] --------- [s0/1] R3
[Fa 1/0] 30.1.1.0 / 24
R2
access-list 10 deny 10.1.1.0 0.0.0.255
access-list 10 permit any
!
interface serial 0/1
ip access-group 10 out
!
5. Extended Access List
½ºÅÄ´õµå ¾×¼¼½º ¸®½ºÆ®´Â Ãâ¹ßÁö ÁÖ¼Ò¸¸À» Á¦¾îÇÏ´Â ¹Ý¸é,
ÀͽºÅÙµðµå ¾×¼¼½º ¸®½ºÆ®´Â Ãâ¹ßÁö ÁÖ¼Ò¿Í ¸ñÀûÁö ÁÖ¼Ò ¸ðµÎ¸¦ Á¦¾î
½ºÅÄ´õµå ¾×¼¼¼ ¸®½ºÆ®´Â Àüü TCP/IP¿¡ ´ëÇÑ Á¦¾î¸¸À» ÇÏ´Â ¹Ý¸é,
ÀͽºÅÙµðµå ¾×¼¼½º ¸®½ºÆ®´Â ip, tcp, udp, icmp µî ƯÁ¤ ÇÁ·ÎÅäÄÝÀ» ÁöÁ¤Çؼ Á¦¾îÇÒ ¼ö ÀÖ´Ù
½ºÅÄ´õµå ¾×¼½º ¸®½ºÆ®´Â 1~99ÀÇ ¼ýÀÚ¸¦ Access-list ¹øÈ£·Î »ç¿ëÇÏ°í,
ÀͽºÅÙµðµå ¾×¼¼½º ¸®½ºÆ®´Â 100~199ÀÇ ¼ýÀÚ¸¦ Access-list ¹øÈ£·Î »ç¿ëÇÑ´Ù.
* Çü½Ä : access-list [100 ~ 199] [Permit / Deny] [Protocol Type][Source address] [Source address W/M] [Destination address] [Destination address W/M] eq [Port number]
EX1) R1ÀÇ Fa0/0 ¿¡ FTP Server 192.168.0.11 ÀÌ Á¸ÀçÇÏ°í ÀÖ´Ù. R1Àº 192.168.1.0 / 24 ³×Æ®¿öÅ© Æ®·¡ÇÈÀÌ Telnet Á¢¼ÓÇϴ°ÍÀ» Â÷´ÜÇÏ·Á°í ÇÑ´Ù.ÀÌ¿ÜÀÇ ³ª¸ÓÁö ¸ðµç Æ®·¡ÇÈÀº Çã¿ëµÈ´Ù.
access-list 100 deny tcp 192.168.1.0 0.0.0.255 host 210.114.75.11 eq 23 access-list 100 permit ip any any !
6. Catalyst 3560 ACL Àû¿ë
Vlan300 ¿¡ ÀÖ´Â 192.168.1.242 ¼¹öÀÇ 80¹øÆ÷Æ®·Î µé¾î¿À´Â UDP Â÷´ÜÇϱâ
[root@sus100 ~]# telnet 111.111.111.111(catalyst 3560 ½ºÀ§Ä¡)
Trying 111.111.111.111...
Connected to 111.111.111.111 (111.111.111.111).
Escape character is '^]'.
User Access Verification
Password:
Switch>en
Password:
Switch#conf t
Enter configuration commands, one per line.? End with CNTL/Z.
Switch(config)#ip access-list extended UDP-DENY
Switch(config-ext-nacl)#deny udp any host 192.168.1.242 eq 80
Switch(config-ext-nacl)#permit ip any any
Switch(config)#interface vlan 300
Switch(config)#ip access-group UDP-DENY out
Á¶È¸ : 12,899
