Extended ACLs can filter by three or four criteria, source IP, destination IP, protocol,and port, with port being the only optional parameter.This gives you more granular control over the rules.Let's say we wanted to block host A from accessing the Apache Web Server on server A,but not any other services on server A. We'd need an extended ACL in this case.Let's walk through an ACL that would do just that.The extended ACL statement starts off the same way as a standard ACL statement,with the keyword, access dash list.For an extended ACL, the number of the ACL falls within the inclusive rangeof one hundred through one ninety-nine.In this case, we're using one hundred, then you'll have just like in a standard ACL,the keyword, permit or deny, depending on what you're trying to do.That's where the similarities end.At this point in the extended ACL statement, you need to specify a protocol.Common entries at this point are TCP, UDP, ICMP, and IP.In our statement, we're selecting TCP,which will only match traffic encapsulated in a TCP header, at layer four.After that, there are two IP addresses preceded by the keyword, host.The first represents the source, the second represents the destination.Of course, each of those could've been written with the IP address first,followed by a wildcard mask of zero zero zero zero, as mentioned earlier.At this point, this ACL statement will in fact block all connection oriented TCP-based trafficfrom the source one twenty-nine twenty-one nineteen seventy-fiveto the destination one twenty-nine twenty-one one forty.This is not what we wanted, we just wanted to block the source from accessing the Web server,but not any other service running on the machine.Maybe there's an FTP server, or an SSH server, both of which also use TCP at layer four.The source should be able to access these services.Now we're going to add an operator, EQ, equal to, in this case to achieve our desired result.Following EQ is eighty.This means only filter traffic from source one twenty-nine twenty-one nineteen seventy-fiveto destination one twenty-nine twenty-one one forty, if the TCP segment has a destination portof eighty, meaning the traffic is destined for the Web serveron one twenty-nine twenty-one one forty.That might be a perfectly configured statement, but at this point our ACL blocks everything.Remember that if packets don't match any ACL statements,they are filtered, denied, discarded.We've got to override the implicit statements at the end of every ACLfor packets not meeting any explicitly configured statements.The way we do that with an extended ACL is as follows, the syntax starts offwith access dash list one hundred, as explained before, follows with permit as explained before.Now, however, instead of just the word any, like we saw with the standard ACL, we see IP any any.Remember that an extended ACL's only optional parameter is port, which in the statementabove was represented by EQ eighty.We need to include a protocol in every extended ACL statement.To include all protocols in the TCP IP suite, we simply say IP.Anything encapsulated in an IP header matches IP.What about the two anys?Well the first represents any source, and the second represents any destination.Now packets not meeting the first statement will match this second statement,and will be filtered.Extended ACLs should be applied as close to the source as possible.In our earlier example, that would mean the ACL would be applied as an inbound ACLon the right interface of router C. Why tie up bandwidth and processing power all the wayfrom router C to router B, if traffic from host A will be blocked anyway?The logic is to filter it as early as possible.This couldn't be done with the standard ACLbecause the only criteria specified is source IP address.However, if we apply an inbound ACL to the right interface of router C,blocking traffic from host a to our Web server, with the destination port of eighty,all other traffic from host A will be unfiltered.
转载于:https://www.cnblogs.com/sec875/articles/10028634.html
相关资源:JAVA上百实例源码以及开源项目