Cấu hình router để chặn tất cả và kiểm tra các kết nối TCP tới Web Servers
Hình vẽ:
Bước 1: Cấu hình IP, định tuyến, NAT
Router4
!
!
interface Loopback0
ip address 150.1.4.4 255.255.255.0
!
interface FastEthernet0/0
ip address 155.1.45.4 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.0.0.4 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface Serial0/2/0
no ip address
shutdown
no fair-queue
clockrate 2000000
!
router ospf 1
log-adjacency-changes
network 150.1.4.0 0.0.0.255 area 0
network 155.1.45.0 0.0.0.255 area 0
!
ip classless
!
!
ip http server
no ip http secure-server
ip nat inside source static 10.0.0.1 150.1.4.4
!
!
Router1
!
interface FastEthernet0/0
ip address 10.0.0.1 255.255.255.0
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.0.4
!
!
Router5
!
!
!
!
interface FastEthernet0/0
ip address 155.1.45.5 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 150.1.5.5 255.255.255.0
duplex auto
speed auto
no keepalive
!
!
router ospf 1
log-adjacency-changes
network 150.1.5.0 0.0.0.255 area 0
network 155.1.45.0 0.0.0.255 area 0
!
ip classless
ip http server
!
!
!
Bước 2: Cấu hình TCP intercept
Router4
!
!
ip tcp intercept list 199
ip tcp intercept connection-timeout 3600
ip tcp intercept max-incomplete low 1200
ip tcp intercept max-incomplete high 1500
ip tcp intercept drop-mode random
!
!
access-list 199 permit tcp any any eq www
!
!
Bước 3: Kiểm tra
R4#debug ip tcp intercept
TCP intercept debugging is on
R5#telnet 150.1.4.4 80
Trying 150.1.4.4, 80 ... Open
[Connection to 150.1.4.4 closed by foreign host]
R4#
*Jun 2 06:48:25.507: INTERCEPT: new connection (155.1.45.5:19297 SYN -> 10.0.0.1:80)
*Jun 2 06:48:25.511: INTERCEPT(*): (155.1.45.5:19297 <- ACK+SYN 10.0.0.1:80)
*Jun 2 06:48:25.511: INTERCEPT: 1st half of connection is established (155.1.45.5:19297 ACK -> 10.0.0.1:80)
*Jun 2 06:48:25.511: INTERCEPT(*): (155.1.45.5:19297 SYN -> 10.0.0.1:80)
*Jun 2 06:48:25.511: INTERCEPT: client packet dropped in SYNSENT (155.1.45.5:19297 -> 10.0.0.1:80)
*Jun 2 06:48:25.515: INTERCEPT: client packet dropped in SYNSENT (155.1.45.5:19297 -> 10.0.0.1:80)
*Jun 2 06:48:26.511: INTERCEPT(*): SYNSENT retransmit 1 (155.1.45.5:19297 SYN -> 10.0.0.1:80)
*Jun 2 06:48:26.511: INTERCEPT: client packet dropped in SYNSENT (155.1.45.5:19297 -> 10.0.0.1:80)
*Jun 2 06:48:27.511: INTERCEPT: client packet dropped in SYNSENT (155.1.45.5:19297 -> 10.0.0.1:80)
*Jun 2 06:48:28.511: INTERCEPT(*): SYNSENT retransmit 2 (155.1.45.5:19297 SYN -> 10.0.0.1:80)
*Jun 2 06:48:28.511: INTERCEPT: client packet dropped in SYNSENT (155.1.45.5:19297 -> 10.0.0.1:80)
*Jun 2 06:48:31.511: INTERCEPT: client packet dropped in SYNSENT (155.1.45.5:19297 -> 10.0.0.1:80)
*Jun 2 06:48:32.511: INTERCEPT(*): SYNSENT retransmit 3 (155.1.45.5:19297 SYN -> 10.0.0.1:80)
*Jun 2 06:48:32.511: INTERCEPT: client packet dropped in SYNSENT (155.1.45.5:19297 -> 10.0.0.1:80)
*Jun 2 06:48:39.511: INTERCEPT: client packet dropped in SYNSENT (155.1.45.5:19297 -> 10.0.0.1:80)
*Jun 2 06:48:40.511: INTERCEPT(*): SYNSENT retransmit 4 (155.1.45.5:19297 SYN -> 10.0.0.1:80)
*Jun 2 06:48:40.511: INTERCEPT: client packet dropped in SYNSENT (155.1.45.5:19297 -> 10.0.0.1:80)
*Jun 2 06:48:56.511: INTERCEPT: SYNSENT retransmitting too long (155.1.45.5:19297 <-> 10.0.0.1:80)
*Jun 2 06:48:56.511: INTERCEPT(*): (155.1.45.5:19297 <- RST 10.0.0.1:80) =>(1)
(1) Kết nối đã vượt quá thời gian timeout, do đó router gửi cờ RST đến 155.1.5.5.
