Mục tiêu


Cấu hình router để chặn tất cả và kiểm tra các kết nối TCP tới Web Servers

Hình vẽ:

Mô tả

• Cấu hình NAT tĩnh
• Tạo ACL 199 match các kết nối TCP vào port 80 của server.
• Cấu hình TCP intercept dùng ACL 199, và mode random-drop
• Báo động khi số kết nối half-open sessions lên đến 1500
• Dừng báo động khi số kết nối half-pen session giảm xuống 1200
• Set thời gian timeout đến với các kết nối inactive là 1 giờ

Cấu hình tham khảo


Bước 1: Cấu hình IP, định tuyến, NAT

Router4

!

!

interface Loopback0

ip address 150.1.4.4 255.255.255.0

!

interface FastEthernet0/0

ip address 155.1.45.4 255.255.255.0

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 10.0.0.4 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface Serial0/2/0

no ip address

shutdown

no fair-queue

clockrate 2000000

!

router ospf 1

log-adjacency-changes

network 150.1.4.0 0.0.0.255 area 0

network 155.1.45.0 0.0.0.255 area 0

!

ip classless

!

!

ip http server

no ip http secure-server

ip nat inside source static 10.0.0.1 150.1.4.4

!

!



Router1

!

interface FastEthernet0/0

ip address 10.0.0.1 255.255.255.0

duplex auto

speed auto

!

ip classless

ip route 0.0.0.0 0.0.0.0 10.0.0.4

!

!



Router5

!

!

!

!

interface FastEthernet0/0

ip address 155.1.45.5 255.255.255.0

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 150.1.5.5 255.255.255.0

duplex auto

speed auto

no keepalive

!

!

router ospf 1

log-adjacency-changes

network 150.1.5.0 0.0.0.255 area 0

network 155.1.45.0 0.0.0.255 area 0

!

ip classless

ip http server

!

!

!



Bước 2: Cấu hình TCP intercept

Router4

!

!

ip tcp intercept list 199

ip tcp intercept connection-timeout 3600

ip tcp intercept max-incomplete low 1200

ip tcp intercept max-incomplete high 1500

ip tcp intercept drop-mode random

!

!

access-list 199 permit tcp any any eq www

!

!



Bước 3: Kiểm tra



R4#debug ip tcp intercept

TCP intercept debugging is on



R5#telnet 150.1.4.4 80

Trying 150.1.4.4, 80 ... Open



[Connection to 150.1.4.4 closed by foreign host]



R4#

*Jun 2 06:48:25.507: INTERCEPT: new connection (155.1.45.5:19297 SYN -> 10.0.0.1:80)

*Jun 2 06:48:25.511: INTERCEPT(*): (155.1.45.5:19297 <- ACK+SYN 10.0.0.1:80)

*Jun 2 06:48:25.511: INTERCEPT: 1st half of connection is established (155.1.45.5:19297 ACK -> 10.0.0.1:80)

*Jun 2 06:48:25.511: INTERCEPT(*): (155.1.45.5:19297 SYN -> 10.0.0.1:80)

*Jun 2 06:48:25.511: INTERCEPT: client packet dropped in SYNSENT (155.1.45.5:19297 -> 10.0.0.1:80)

*Jun 2 06:48:25.515: INTERCEPT: client packet dropped in SYNSENT (155.1.45.5:19297 -> 10.0.0.1:80)

*Jun 2 06:48:26.511: INTERCEPT(*): SYNSENT retransmit 1 (155.1.45.5:19297 SYN -> 10.0.0.1:80)

*Jun 2 06:48:26.511: INTERCEPT: client packet dropped in SYNSENT (155.1.45.5:19297 -> 10.0.0.1:80)

*Jun 2 06:48:27.511: INTERCEPT: client packet dropped in SYNSENT (155.1.45.5:19297 -> 10.0.0.1:80)

*Jun 2 06:48:28.511: INTERCEPT(*): SYNSENT retransmit 2 (155.1.45.5:19297 SYN -> 10.0.0.1:80)

*Jun 2 06:48:28.511: INTERCEPT: client packet dropped in SYNSENT (155.1.45.5:19297 -> 10.0.0.1:80)

*Jun 2 06:48:31.511: INTERCEPT: client packet dropped in SYNSENT (155.1.45.5:19297 -> 10.0.0.1:80)

*Jun 2 06:48:32.511: INTERCEPT(*): SYNSENT retransmit 3 (155.1.45.5:19297 SYN -> 10.0.0.1:80)

*Jun 2 06:48:32.511: INTERCEPT: client packet dropped in SYNSENT (155.1.45.5:19297 -> 10.0.0.1:80)

*Jun 2 06:48:39.511: INTERCEPT: client packet dropped in SYNSENT (155.1.45.5:19297 -> 10.0.0.1:80)

*Jun 2 06:48:40.511: INTERCEPT(*): SYNSENT retransmit 4 (155.1.45.5:19297 SYN -> 10.0.0.1:80)

*Jun 2 06:48:40.511: INTERCEPT: client packet dropped in SYNSENT (155.1.45.5:19297 -> 10.0.0.1:80)

*Jun 2 06:48:56.511: INTERCEPT: SYNSENT retransmitting too long (155.1.45.5:19297 <-> 10.0.0.1:80)

*Jun 2 06:48:56.511: INTERCEPT(*): (155.1.45.5:19297 <- RST 10.0.0.1:80) =>(1)



(1) Kết nối đã vượt quá thời gian timeout, do đó router gửi cờ RST đến 155.1.5.5.
​