某公司内网采用路由器自带过滤功能来实现网络安全访问控制。
(一)网络安全策略
- 只允许指定主机收集SNMP管理信息
- 禁止来自外网的非法通信流通过
- 禁止来自内网的非法通信流通过
- 只允许指定主机远程访问路由器
(二)路由器过滤规则安全配置
! access-list 100 applies to traffic from external networks
! to the internal network or to the router
no access-list 100 # 删除或禁用编号为100的ACL列表
access-list 100 deny ip 14.2.6.0 0.0.0.255 any log
access-list 100 deny ip host 14.x.y.z host 14.x.y.z log
access-list 100 deny ip 127.0.0.0 0.255.255.255 any log
access-list 100 deny ip 10.0.0.0 0.255.255.255 any log
access-list 100 deny ip 0.0.0.0 0.255.255.255 any log
access-list 100 deny ip 172.16.0.0 0.15.255.255 any log
access-list 100 deny ip 192.168.0.0 0.0.255.255 any log
access-list 100 deny ip 192.0.2.0 0.0.0.255 any log
access-list 100 deny ip 169.254.0.0 0.0.255.255 any log
access-list 100 deny ip 224.0.0.0 15.255.255.255 any log
access-list 100 deny ip any host 14.2.6.255 log
access-list 100 deny ip any host 14.2.6.0 log
access-list 100 permit tcp any 14.2.6.0 0.0.0.255 estabished
access-list 100 deny icmp any any echo log
access-list 100 deny icmp any any redirect log
access-list 100 deny icmp any any mask-request log
access-list 100 permit icmp any 14.2.6.0 0.0.0.255
access-list 100 permit osfp 14.1.0.0 0.0.255.255 host 14.x.y.z
access-list 100 deny tcp any any range 6000 6063 log
access-list 100 deny tcp any any eq 6667 log
说明:通配符掩码(通配符掩码=255-掩码)是子网掩码补充,为1表示不需检查的位,为0表示要检查的位。