Tweet
Mục tiêu
Cấu hình router để chặn tất cả và kiểm tra các kết nối TCP tới Web Servers
Hình vẽ:
Mô tả
Cấu hình tham khảo
Bước 1: Cấu hình IP, định tuyến, NAT
Router4
!
!
interface Loopback0
ip address 150.1.4.4 255.255.255.0
!
interface FastEthernet0/0
ip address 155.1.45.4 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.0.0.4 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface Serial0/2/0
no ip address
shutdown
no fair-queue
clockrate 2000000
!
router ospf 1
log-adjacency-changes
network 150.1.4.0 0.0.0.255 area 0
network 155.1.45.0 0.0.0.255 area 0
!
ip classless
!
!
ip http server
no ip http secure-server
ip nat inside source static 10.0.0.1 150.1.4.4
!
!
Router1
!
interface FastEthernet0/0
ip address 10.0.0.1 255.255.255.0
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.0.4
!
!
Router5
!
!
!
!
interface FastEthernet0/0
ip address 155.1.45.5 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 150.1.5.5 255.255.255.0
duplex auto
speed auto
no keepalive
!
!
router ospf 1
log-adjacency-changes
network 150.1.5.0 0.0.0.255 area 0
network 155.1.45.0 0.0.0.255 area 0
!
ip classless
ip http server
!
!
!
Bước 2: Cấu hình TCP intercept
Router4
!
!
ip tcp intercept list 199
ip tcp intercept connection-timeout 3600
ip tcp intercept max-incomplete low 1200
ip tcp intercept max-incomplete high 1500
ip tcp intercept drop-mode random
!
!
access-list 199 permit tcp any any eq www
!
!
Bước 3: Kiểm tra
R4#debug ip tcp intercept
TCP intercept debugging is on
R5#telnet 150.1.4.4 80
Trying 150.1.4.4, 80 ... Open
[Connection to 150.1.4.4 closed by foreign host]
R4#
*Jun 2 06:48:25.507: INTERCEPT: new connection (155.1.45.5:19297 SYN -> 10.0.0.1:80)
*Jun 2 06:48:25.511: INTERCEPT(*): (155.1.45.5:19297 <- ACK+SYN 10.0.0.1:80)
*Jun 2 06:48:25.511: INTERCEPT: 1st half of connection is established (155.1.45.5:19297 ACK -> 10.0.0.1:80)
*Jun 2 06:48:25.511: INTERCEPT(*): (155.1.45.5:19297 SYN -> 10.0.0.1:80)
*Jun 2 06:48:25.511: INTERCEPT: client packet dropped in SYNSENT (155.1.45.5:19297 -> 10.0.0.1:80)
*Jun 2 06:48:25.515: INTERCEPT: client packet dropped in SYNSENT (155.1.45.5:19297 -> 10.0.0.1:80)
*Jun 2 06:48:26.511: INTERCEPT(*): SYNSENT retransmit 1 (155.1.45.5:19297 SYN -> 10.0.0.1:80)
*Jun 2 06:48:26.511: INTERCEPT: client packet dropped in SYNSENT (155.1.45.5:19297 -> 10.0.0.1:80)
*Jun 2 06:48:27.511: INTERCEPT: client packet dropped in SYNSENT (155.1.45.5:19297 -> 10.0.0.1:80)
*Jun 2 06:48:28.511: INTERCEPT(*): SYNSENT retransmit 2 (155.1.45.5:19297 SYN -> 10.0.0.1:80)
*Jun 2 06:48:28.511: INTERCEPT: client packet dropped in SYNSENT (155.1.45.5:19297 -> 10.0.0.1:80)
*Jun 2 06:48:31.511: INTERCEPT: client packet dropped in SYNSENT (155.1.45.5:19297 -> 10.0.0.1:80)
*Jun 2 06:48:32.511: INTERCEPT(*): SYNSENT retransmit 3 (155.1.45.5:19297 SYN -> 10.0.0.1:80)
*Jun 2 06:48:32.511: INTERCEPT: client packet dropped in SYNSENT (155.1.45.5:19297 -> 10.0.0.1:80)
*Jun 2 06:48:39.511: INTERCEPT: client packet dropped in SYNSENT (155.1.45.5:19297 -> 10.0.0.1:80)
*Jun 2 06:48:40.511: INTERCEPT(*): SYNSENT retransmit 4 (155.1.45.5:19297 SYN -> 10.0.0.1:80)
*Jun 2 06:48:40.511: INTERCEPT: client packet dropped in SYNSENT (155.1.45.5:19297 -> 10.0.0.1:80)
*Jun 2 06:48:56.511: INTERCEPT: SYNSENT retransmitting too long (155.1.45.5:19297 <-> 10.0.0.1:80)
*Jun 2 06:48:56.511: INTERCEPT(*): (155.1.45.5:19297 <- RST 10.0.0.1:80) =>(1)
(1) Kết nối đã vượt quá thời gian timeout, do đó router gửi cờ RST đến 155.1.5.5.
Cấu hình router để chặn tất cả và kiểm tra các kết nối TCP tới Web Servers
Hình vẽ:
Mô tả- Cấu hình NAT tĩnh
- Tạo ACL 199 match các kết nối TCP vào port 80 của server.
- Cấu hình TCP intercept dùng ACL 199, và mode random-drop
- Báo động khi số kết nối half-open sessions lên đến 1500
- Dừng báo động khi số kết nối half-pen session giảm xuống 1200
- Set thời gian timeout đến với các kết nối inactive là 1 giờ
Cấu hình tham khảo
Bước 1: Cấu hình IP, định tuyến, NAT
Router4
!
!
interface Loopback0
ip address 150.1.4.4 255.255.255.0
!
interface FastEthernet0/0
ip address 155.1.45.4 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.0.0.4 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface Serial0/2/0
no ip address
shutdown
no fair-queue
clockrate 2000000
!
router ospf 1
log-adjacency-changes
network 150.1.4.0 0.0.0.255 area 0
network 155.1.45.0 0.0.0.255 area 0
!
ip classless
!
!
ip http server
no ip http secure-server
ip nat inside source static 10.0.0.1 150.1.4.4
!
!
Router1
!
interface FastEthernet0/0
ip address 10.0.0.1 255.255.255.0
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.0.4
!
!
Router5
!
!
!
!
interface FastEthernet0/0
ip address 155.1.45.5 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 150.1.5.5 255.255.255.0
duplex auto
speed auto
no keepalive
!
!
router ospf 1
log-adjacency-changes
network 150.1.5.0 0.0.0.255 area 0
network 155.1.45.0 0.0.0.255 area 0
!
ip classless
ip http server
!
!
!
Bước 2: Cấu hình TCP intercept
Router4
!
!
ip tcp intercept list 199
ip tcp intercept connection-timeout 3600
ip tcp intercept max-incomplete low 1200
ip tcp intercept max-incomplete high 1500
ip tcp intercept drop-mode random
!
!
access-list 199 permit tcp any any eq www
!
!
Bước 3: Kiểm tra
R4#debug ip tcp intercept
TCP intercept debugging is on
R5#telnet 150.1.4.4 80
Trying 150.1.4.4, 80 ... Open
[Connection to 150.1.4.4 closed by foreign host]
R4#
*Jun 2 06:48:25.507: INTERCEPT: new connection (155.1.45.5:19297 SYN -> 10.0.0.1:80)
*Jun 2 06:48:25.511: INTERCEPT(*): (155.1.45.5:19297 <- ACK+SYN 10.0.0.1:80)
*Jun 2 06:48:25.511: INTERCEPT: 1st half of connection is established (155.1.45.5:19297 ACK -> 10.0.0.1:80)
*Jun 2 06:48:25.511: INTERCEPT(*): (155.1.45.5:19297 SYN -> 10.0.0.1:80)
*Jun 2 06:48:25.511: INTERCEPT: client packet dropped in SYNSENT (155.1.45.5:19297 -> 10.0.0.1:80)
*Jun 2 06:48:25.515: INTERCEPT: client packet dropped in SYNSENT (155.1.45.5:19297 -> 10.0.0.1:80)
*Jun 2 06:48:26.511: INTERCEPT(*): SYNSENT retransmit 1 (155.1.45.5:19297 SYN -> 10.0.0.1:80)
*Jun 2 06:48:26.511: INTERCEPT: client packet dropped in SYNSENT (155.1.45.5:19297 -> 10.0.0.1:80)
*Jun 2 06:48:27.511: INTERCEPT: client packet dropped in SYNSENT (155.1.45.5:19297 -> 10.0.0.1:80)
*Jun 2 06:48:28.511: INTERCEPT(*): SYNSENT retransmit 2 (155.1.45.5:19297 SYN -> 10.0.0.1:80)
*Jun 2 06:48:28.511: INTERCEPT: client packet dropped in SYNSENT (155.1.45.5:19297 -> 10.0.0.1:80)
*Jun 2 06:48:31.511: INTERCEPT: client packet dropped in SYNSENT (155.1.45.5:19297 -> 10.0.0.1:80)
*Jun 2 06:48:32.511: INTERCEPT(*): SYNSENT retransmit 3 (155.1.45.5:19297 SYN -> 10.0.0.1:80)
*Jun 2 06:48:32.511: INTERCEPT: client packet dropped in SYNSENT (155.1.45.5:19297 -> 10.0.0.1:80)
*Jun 2 06:48:39.511: INTERCEPT: client packet dropped in SYNSENT (155.1.45.5:19297 -> 10.0.0.1:80)
*Jun 2 06:48:40.511: INTERCEPT(*): SYNSENT retransmit 4 (155.1.45.5:19297 SYN -> 10.0.0.1:80)
*Jun 2 06:48:40.511: INTERCEPT: client packet dropped in SYNSENT (155.1.45.5:19297 -> 10.0.0.1:80)
*Jun 2 06:48:56.511: INTERCEPT: SYNSENT retransmitting too long (155.1.45.5:19297 <-> 10.0.0.1:80)
*Jun 2 06:48:56.511: INTERCEPT(*): (155.1.45.5:19297 <- RST 10.0.0.1:80) =>(1)
(1) Kết nối đã vượt quá thời gian timeout, do đó router gửi cờ RST đến 155.1.5.5.