Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Block incoming traffic for a single IP address
- Thread starter Narboule
- Start date
access-list 120 permit ip host 1.1.1.1 host 2.3.4.5
access-list 120 permit ip host 1.1.1.1 host 2.3.4.6
access-list 120 permit ip host 1.1.1.1 host 2.3.4.7
access-list 120 permit ip host 1.1.1.1 host 2.3.4.8
int s0 (link to internet)
ip access-group 120 in
This should do it, 1.1.1.1 is the server address, other values are the 4 users that need access.
This list will block ALL incoming traffic apart from the 4 users. This is not really a secure method of stopping internet based attacks due to the way the ACL works. It wont stop fragmented packet attacks.
Hope that helps
access-list 120 permit ip host 1.1.1.1 host 2.3.4.6
access-list 120 permit ip host 1.1.1.1 host 2.3.4.7
access-list 120 permit ip host 1.1.1.1 host 2.3.4.8
int s0 (link to internet)
ip access-group 120 in
This should do it, 1.1.1.1 is the server address, other values are the 4 users that need access.
This list will block ALL incoming traffic apart from the 4 users. This is not really a secure method of stopping internet based attacks due to the way the ACL works. It wont stop fragmented packet attacks.
Hope that helps
if i understand you correctly, you are looking to block all internet traffic coming in except for traffic from 4 servers on the internet
i take it that
1
all of your internal pc's should be able to go out to the Internet
2
you only want your employees to be able to access 4 web-sites
so you need to only allow return traffic from those 4 sites/servers
access-list 133 permit tcp host 1.2.3.1(server1) eq established
access-list 133 permit tcp host 1.2.3.2(server2) eq established
access-list 133 permit tcp host 1.2.3.3(server3) eq established
access-list 133 permit tcp host 1.2.3.4(server4) eq established
int ethernet 0 (or whatever your outside int is)
ip access-group 133 in
this allows any only return traffic for those 4 servers on the Internet. if you want them to access other services on those servers (i.e. https(tcp 443), etc, you will have to add acl entries permitting those ports)
(caution: if you are using dhcp and allow for icmp on that outside interface make sure that you add the appropriate acl statements)
i take it that
1
all of your internal pc's should be able to go out to the Internet
2
you only want your employees to be able to access 4 web-sites
so you need to only allow return traffic from those 4 sites/servers
access-list 133 permit tcp host 1.2.3.1(server1) eq established
access-list 133 permit tcp host 1.2.3.2(server2) eq established
access-list 133 permit tcp host 1.2.3.3(server3) eq established
access-list 133 permit tcp host 1.2.3.4(server4) eq established
int ethernet 0 (or whatever your outside int is)
ip access-group 133 in
this allows any only return traffic for those 4 servers on the Internet. if you want them to access other services on those servers (i.e. https(tcp 443), etc, you will have to add acl entries permitting those ports)
(caution: if you are using dhcp and allow for icmp on that outside interface make sure that you add the appropriate acl statements)
- Thread starter
- #5
Andyleates
Technical User
state the source address as 111.222.333.xxx 0.0.0.255
Andy Leates MCSE MCP+I
Andy Leates MCSE MCP+I
- Thread starter
- #7
your line should read
access-list 120 permit ip host 1.2.3.1 111.222.333.0 0.0.0.255
The host keyword is used for single ip address entries, for a range of addresses you use a mask. A 0 in the mask means check and a 255 means ignore. So the new line means match a packet with a source address of 1.2.3.1 and a destination address in the range 111.222.333.1 to .255
access-list 120 permit ip host 1.2.3.1 111.222.333.0 0.0.0.255
The host keyword is used for single ip address entries, for a range of addresses you use a mask. A 0 in the mask means check and a 255 means ignore. So the new line means match a packet with a source address of 1.2.3.1 and a destination address in the range 111.222.333.1 to .255
- Thread starter
- #9
- Thread starter
- #10
- Thread starter
- #11
Let me re-state things. Hopefully someone can help me resolve this.
I have a server that should only be accessed by a certain range of IP addresses. There should be no traffic to or from this computer except to this specific IP range. I don't know if this affects anything, but the server's IP address is within the authorized IP range.
In addition, I've been receiving abuse reports that this computer is performing port scans. Will the ACL in the previous paragraph prevent port scans from being performed on computers outside our network? If not, any suggestions on how to do so?
I have a server that should only be accessed by a certain range of IP addresses. There should be no traffic to or from this computer except to this specific IP range. I don't know if this affects anything, but the server's IP address is within the authorized IP range.
In addition, I've been receiving abuse reports that this computer is performing port scans. Will the ACL in the previous paragraph prevent port scans from being performed on computers outside our network? If not, any suggestions on how to do so?
The ACL will only permit packets that match past. Any others will be denied, you do not have to specify that. However its sometimes useful whilst setting up the ACL's to add a deny statement to the end of the ACL, it must be the last line, and append the keyword log.
Then each time a packet gets matched by the line with the log keyword you get a message on the router console indicating source and dest IP and port numbers.
Remove the deny and the log key words when you have it working as you want.
The list will stop port scans, but remember that ACL's can be bypassed by crafting fragmented IP packets.
To block traffic outgoing reverse the source and destination address in a new access list, and apply that to an interface in the outgoing direction.
Then each time a packet gets matched by the line with the log keyword you get a message on the router console indicating source and dest IP and port numbers.
Remove the deny and the log key words when you have it working as you want.
The list will stop port scans, but remember that ACL's can be bypassed by crafting fragmented IP packets.
To block traffic outgoing reverse the source and destination address in a new access list, and apply that to an interface in the outgoing direction.
- Thread starter
- #13
Thanks, routerman.
By the way, how many access lists can be applied to an interface?
I don't understand correctly regarding the outgoing. All outgoing traffic is currently authorized, so I would effectively need to block everything outside of my IP range. So would I first need to write my permit statement and then write a deny statement from "any" to the host?
By the way, how many access lists can be applied to an interface?
I don't understand correctly regarding the outgoing. All outgoing traffic is currently authorized, so I would effectively need to block everything outside of my IP range. So would I first need to write my permit statement and then write a deny statement from "any" to the host?
You can apply 2 access lists per interface, one incoming and one outgoing.
The ACL can check either source addresses only (standard ACL) or both source and destination, plus protocols and ports (extended ACL). You can also check for established sessions using the est ketword.
The list is applied to an interface, the direction depends on how you have configured the source and destination addresses.
The ACL can check either source addresses only (standard ACL) or both source and destination, plus protocols and ports (extended ACL). You can also check for established sessions using the est ketword.
The list is applied to an interface, the direction depends on how you have configured the source and destination addresses.
- Status
Similar threads
- Locked
- Question