配置H3C AR18-21A路由器(TCP/IP)过滤规则
全部的命令列举可以参考我记录的另外两篇文章:
H3C AR18-21A路由器(常用)配置命令 http://clin003.com/servers/h3c-ar18-21a-command-1515/
和上次一样不提web界面配置。
首先确定要配置的规则的num序号
可以使用“display current-configuration”来查看所有的配置信息,找到参考num序号。
************************************
* Copyright (c) 2004-2007 Hangzhou H3C Tech. Co., Ltd. All rights reserved. *
* Without the owner’s prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
**********************************Login authentication
Password:
su
Password:
User privilege level is 3, and only those commands can be used
whose level is equal or less than this.
Privilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-MANAGEsystem
System View: return to User View with Ctrl+Z.
[H3C]display current-configuration
#
sysname H3C
#
…
#
firewall enable
#
…
#
ip http acl 2000
#
domain system
#
…
#
acl number 2000
rule 0 permit source 192.168.0.0 0.0.3.255
rule 1 deny
#
acl number 3000
rule 1 deny ip destination 222.216.28.25 0
rule 11 deny ip destination 218.93.16.72 0
…
acl number 3001
rule 0 permit ip
#
可以确定TCP/IP对应的num为3000(这些是之前配置的拦截木马连接服务器的IP)。
然后使用“acl num 3000”进入TCP/IP过滤配置
[H3C]acl num 3000
[H3C-acl-adv-3000]?
Acl-adv view commands:
description Specify ACL description
dialer Dialer disconnect
display Display current system information
nslookup Query Internet name servers
ping Ping function
quit Exit from current command view
return Exit to User View
rule Specify an acl rule
save Save current configuration
tracert Trace route function
undo Cancel current setting
vrbd Show application version
[H3C-acl-adv-3000]rule deny ?
<1-255> Protocol number
gre GRE tunneling(47)
icmp Internet Control Message Protocol(1)
igmp Internet Group Management Protocol(2)
ip Any IP protocol
ipinip IP in IP tunneling(4)
ospf OSPF routing protocol(89)
tcp Transmission Control Protocol (6)
udp User Datagram Protocol (17)
[H3C-acl-adv-3000]rule deny ip ?
destination Match destination address
dscp Match differentiated services code point value
fragment Match fragmented packet
logging Log matched packet
precedence Match precedence value
source Match source address
time-range Specify a special time to activate this acl rule
tos Match tos value[H3C-acl-adv-3000]rule deny ip destination ?
X.X.X.X Address of destination
any Any destination IP address
[H3C-acl-adv-3000]rule deny ip destination 119.147.18.0 ?
0 Wildcard bits : 0.0.0.0 ( a host )
X.X.X.X Wildcard of destination
[H3C-acl-adv-3000]rule deny ip destination 119.147.18.0 0.255.255.255
[H3C-acl-adv-3000]
上边的是不熟悉命令的做法,其实简单的就是不带问好,一口气输入完,然后执行就添加ok啦。
比如(拦截119.147.18.0 掩码为255.0.0.0的网段):
[H3C]acl num 3000
[H3C-acl-adv-3000]rule deny ip destination 119.147.18.0 0.255.255.255
然后可以再次使用“display current-configuration”来查看是否添加成功。
num对应的协议类型有些还说不上来(有待学习),还希望知道的朋友能分享下。 
这个型号的(H3C AR18-21A)路由器支持过滤的协议类型:
[H3C]acl num ?
INTEGER<1000-1999> Specify an interface-based acl
INTEGER<2000-2999> Specify a basic acl
INTEGER<3000-3999> Specify an advanced acl
INTEGER<4000-4999> Specify an ethernet frame header acl
删除添加好的(TCP/IP)过滤规则
若想删除一条规则可以使用“undo rule num”删除(需要找到对应规则的序号num,可以使用“display current-configuration”),比如删除已经存在的“1”号规则,可以这样执行:
[H3C]acl num 3000
[H3C-acl-adv-3000]undo rule 1
[H3C-acl-adv-3000]
配置H3C AR18-21A路由器TCP/IP过滤功能
使用“firewall enable”开启TCP/IP过滤功能,使用“undo firewall enable”关闭TCP/IP过滤功能,使用“firewall default deny”启用默认禁止访问功能(只有符合规则的才可以通过,其他的全部禁止)。
[H3C]firewall enable
[H3C]firewall default deny
[H3C]firewall default permit
[H3C]undo firewall enable
转载原创文章请注明,转载自:[Lin's Space|Only]
本文链接: http://clin003.com/servers/acl-num-3000-rule-deny-ip-destination-h3c-ar18-21a-command-1686/
Google比较注重原创性和时效性,若没有找到需要的内容可尝试以下搜素。
Hi, cool post. I have been pondering this topic,so thanks for writing. I’ll likely be coming back to your site. Keep up the good posts