Search okapi website
Subscribe to newsletter
Firewall |
|
Introduction
Access Lists (ACLs) are used to filter traffic according to the "three P's"—per protocol, per interface, and per direction. We can only have one ACL per protocol (e.g. IP), one ACL per interface (e.g. FastEthernet 0) and one ACL per direction (i.e. IN or OUT). Router processes ACLs from top to bottom. When the router evaluates traffic against the list, it starts at the beginning of the list and moves down, either permitting or denying traffic as it goes. When it has worked its way through the list, the processing stops. That means whichever rule comes first takes precedence. At the end of an ACL there is an implicit deny statement. Here we are trying to control access to a single host 192.16.1.1 Before we move to okapi configuration, the network end machines must have their IP address and default route set as indicated below:
Network Diagram 
Machine-1 root@machine-1# ifconfig eth0 192.168.1.2/16 Machine-2 root@machine-2# ifconfig eth0 192.168.1.5/16 Machine-3 root@machine-1# ifconfig eth0 172.16.1.2/16 Machine-4 root@machine-2# ifconfig eth0 172.16.1.5/16 Now, lets configure Okapi router, Router-A: Okapi(config)# interface FastEthernet 0 The configuration on neighbor router, Router-B is: Okapi(config)# interface FastEthernet 0 With the above configurations, all 4 machines on two LAN segments can ping as well as telnet into Router-B ie 192.16.1.1. Now, lets configure access lists on Okap router to filter the traffic reaching to 192.16.1.1. First access list(110) configured below, denies only telnet traffic from machine-2 while permitting all the tcp traffic from entire LAN1(192.168.0.0/16). Ofcourse, as per last implicit deny rule, traffic other than tcp from LAN1 will now be blocked. Second access list(120) configured below, denies icmp traffic only from machine-4 while permitting all the icmp traffic from rest of the machines in LAN2(192.168.0.0/16). Again, as per last implicit deny rule, traffic other than icmp from LAN2 will now be blocked. Okapi(config)# access-list 110 deny tcp host 192.168.1.5 host 192.16.1.1 eq telnet After configuring the above two access lists, lets now apply them on respective interfaces for incoming data. Okapi(config)# interface FastEthernet 0 Okapi(config)# With access controls applied at interfaces for inbound traffic, Okap router will now allow or block the traffic as per the defined access rules. Any tcp traffic is allowed if coming from 192.168.0.0 network (except from 192.168.1.5) and blocked if coming from 172.16.0.0 network to reach Router-B . Also any icmp traffic from 172.16.0.0 network (except 172.16.1.5) will be passed through to reach the destination router while any icmp traffic coming from 192.168.0.0 network will be prohibited from reaching the destination router. tcp traffic can be tested by running applications like telnet or ssh and icmp traffic can be tested using applications like ping. We can also control traffic based on system time using time-ranges. To do this first define a time-range :- Okapi(config)# time-range office_hrs start * 10 * * * end * 18 * * * Now specify this time-range in access list. Okapi(config)# access-list 120 permit tcp host 172.16.1.2 host 192.16.1.1 time-range office_hrsWith this all tcp requests by machine-3 are permitted only for the specified duration in time-range i.e. 10 am to 6 pm everyday.
|