文本版|topic 高级搜索
   名人堂 帮助 论坛制度 意见反馈 | 首页 博客 周新贴 招聘 专题 新闻
 RSS 底部
 
社区导航: 专家门诊   网络技术   操作系统   数据库   程序设计   系统应用   考试认证   CIO及信息化   站长交流   综合交流   下载基地  51CTO产品服务 设为首页 | 收藏本站
51CTO技术论坛» 网络管理 » 网络解决方案 » 华为路由 AR -18-23-1 如何限制访问外网地址       [ 打印]  [ 订阅]  [ 收藏]  [ 推荐给朋友]   [ 本帖文本页]
 

论坛跳转:
     
标题: 华为路由 AR -18-23-1 如何限制访问外网地址  ( 查看:365  回复:5 )   
 该主题悬赏的20无忧币已被全部领完 
 
gujideyeyu
新新人类  点击可查看详细



帖子 3
精华 0
无忧币 17
积分 17
阅读权限 20
注册日期 2006-10-16
最后登录 2008-2-24 离线

[查看资料]  [发短消息]  [Blog
       
发表于:2008-2-24 20:40   标题:华为路由 AR -18-23-1 如何限制访问外网地址
上一帖 |
华为路由 AR -18-23-1 如何限制访问外网地址
初学者 请详细说明 例如 限制 www.163.com
或者 202.108.9.39
谢谢拉!

网络工程师到底该不该去考CCIE认证?
2008-2-24 20:401楼
[ 顶部 ]
 
小侠唐在飞
助理工程师  点击可查看详细


诚信兄弟  
帖子 1537
精华 2
无忧币 2336
积分 1809
阅读权限 40
来自 (保密)
注册日期 2006-6-15
最后登录 2008-5-20 离线

[查看资料]  [发短消息]  [Blog
[个人主页]    QQ       
发表于:2008-2-24 21:02  ,被系统奖励 4 点无忧币
在你路由器的ACL里,加一条,
rule 1  deny  ip  destination 202.108.9.30
这样就禁止了所有人访问外网。。记住这条要放在前面。

【欢迎访问小侠唐在飞技术博客http://xiaoxia.blog.51cto.com】
2008-2-24 21:022楼
[ 顶部 ]
 
gujideyeyu
新新人类  点击可查看详细



帖子 3
精华 0
无忧币 17
积分 17
阅读权限 20
注册日期 2006-10-16
最后登录 2008-2-24 离线

[查看资料]  [发短消息]  [Blog
       
发表于:2008-2-24 21:04  ,被系统奖励 4 点无忧币
谢谢 你 但是如果我要限制多个IP是不是逐个添加 !
可以说的详细一些吗

网络工程师到底该不该去考CCIE认证?
2008-2-24 21:043楼
[ 顶部 ]
 
gujideyeyu
新新人类  点击可查看详细



帖子 3
精华 0
无忧币 17
积分 17
阅读权限 20
注册日期 2006-10-16
最后登录 2008-2-24 离线

[查看资料]  [发短消息]  [Blog
       
发表于:2008-2-24 21:08  ,被系统奖励 4 点无忧币
#
sysname Quidway
#
clock timezone gmt+08:004 add 08:00:00
#
cpu-usage cycle 1min
#
connection-limit disable
connection-limit default action deny
connection-limit default amount upper-limit 50 lower-limit 20
#
qos carl 1 source-ip-address range 219.238.41.8 to 219.238.41.25 p
qos carl 2 destination-ip-address range 219.238.41.8 to 219.238.41
ss
qos carl 3 source-ip-address range 219.238.41.78 to 219.238.41.92
qos carl 4 destination-ip-address range 219.238.41.78 to 219.238.4
ess
#
web set-package force flash:/http.zip
#
radius scheme system
#
domain system
#
local-user system
password cipher 20^U/;ELU7:a+EU-#.7Z6A!!
service-type telnet terminal
level 3
service-type ftp
local-user zhangxue
password cipher 20^U/;ELU7:a+EU-#.7Z6A!!
service-type telnet
level 3
#
acl number 3001
rule 0 deny tcp destination-port eq 135
rule 1 deny tcp destination-port range 137 139
rule 2 deny tcp destination-port eq 445
rule 3 deny tcp destination-port range 4444 4445
rule 4 deny tcp destination-port eq 539
rule 5 deny tcp destination-port eq 593
rule 6 deny tcp destination-port eq 1025
rule 7 deny tcp destination-port eq 6969
rule 8 deny tcp destination-port eq 9696
rule 9 deny tcp destination-port eq 9996
rule 10 deny tcp destination-port eq 707
rule 11 deny tcp destination-port range 6881 6889
rule 12 deny tcp destination-port range 8881 8889
rule 13 deny tcp destination-port eq 10137
rule 14 deny tcp destination-port eq 16881
rule 15 deny udp destination-port eq 16881
rule 16 deny udp destination-port eq 10137
rule 17 deny udp destination-port range 6881 6889
rule 18 deny udp destination-port range 8881 8889
rule 19 deny udp destination-port eq 1025
rule 20 deny udp destination-port eq 9696
rule 21 deny udp destination-port eq 6969
rule 22 deny udp destination-port range 4444 4445
rule 23 deny udp destination-port range netbios-ns netbios-ssn
rule 24 deny udp destination-port eq 135
#
interface Aux0
async mode flow
#
interface Ethernet1/0
ip address 192.168.168.238 255.255.255.252
dhcp select interface
firewall packet-filter 3001 inbound
#
interface Ethernet2/0
ip address dhcp-alloc
#
interface Ethernet3/0
ip address dhcp-alloc
#
interface Ethernet4/0
ip address 219.238.41.158 255.255.255.0
arp send-gratuitous-arp 1
qos car inbound carl 1 cir 100000 cbs 100000 ebs 100000 green pass
qos car inbound carl 3 cir 100000 cbs 100000 ebs 100000 green pass
qos car outbound carl 2 cir 200000 cbs 200000 ebs 200000 green pas
qos car outbound carl 4 cir 200000 cbs 200000 ebs 200000 green pas
#
interface NULL0
#
FTP server enable
#
arp static 219.238.41.28   000a-eb9a-f017
arp static 219.238.41.29   000a-eb93-7e4e
arp static 219.238.41.30   000a-eb9b-d76f
arp static 219.238.41.31   000a-eb84-cf45
arp static 219.238.41.24   000a-eb28-08fd
arp static 219.238.41.25   000a-eb4f-6d78
arp static 219.238.41.26   000a-eb97-38b5
arp static 219.238.41.27   000a-eb9b-d727
arp static 219.238.41.20   000a-eb28-03f1
arp static 219.238.41.21   000a-eb27-d483
arp static 219.238.41.23   000a-eb27-d4a8
arp static 219.238.41.16   000a-eb27-ffe7
arp static 219.238.41.17   000a-eb1c-6b85
arp static 219.238.41.18   000a-eb28-09ea
arp static 219.238.41.19   000a-eb08-f2e0
arp static 219.238.41.12   000a-eb28-021f
arp static 219.238.41.13   000a-eb28-02c1
arp static 219.238.41.14   000a-eb28-0072
arp static 219.238.41.15   000a-eb27-ff5c
arp static 219.238.41.8    000a-eb4f-6653
arp static 219.238.41.9    000a-eb28-0041
arp static 219.238.41.10   000a-eb28-0170
arp static 219.238.41.11   000a-eb28-0292
arp static 219.238.41.4    000a-eb4f-4f01
arp static 219.238.41.5    000a-eb27-e8de
arp static 219.238.41.6    000a-eb27-ff34
arp static 219.238.41.7    000a-eb4f-4ef1
arp static 219.238.41.1    000a-eb27-d5c6
arp static 219.238.41.22   000a-eb28-0274
arp static 219.238.41.2    000a-eb4f-6720
arp static 219.238.41.3    000a-eb4f-4f4e
arp static 219.238.41.60   000a-eb27-d46e
arp static 219.238.41.61   000a-eb27-e97b
arp static 219.238.41.62   000a-eb27-f559
arp static 219.238.41.63   000a-eb28-0974
arp static 219.238.41.56   000a-eb4e-a345
arp static 219.238.41.57   000a-eb28-0071
arp static 219.238.41.58   000a-eb27-ffb9
arp static 219.238.41.59   000a-eb28-027c
arp static 219.238.41.52   000a-eb28-01f2
arp static 219.238.41.53   000a-eb27-fede
arp static 219.238.41.54   000a-eb27-e911
arp static 219.238.41.55   000a-eb96-a7f2
arp static 219.238.41.48   000a-eb99-abfe
arp static 219.238.41.49   000a-eb9b-0017
arp static 219.238.41.50   000a-eb9a-f165
arp static 219.238.41.51   000a-eb1c-6d71
arp static 219.238.41.44   000f-eae2-1f00
arp static 219.238.41.45   000a-eb1c-6ec0
arp static 219.238.41.46   000a-eb97-38f7
arp static 219.238.41.47   000a-eb97-88f7
arp static 219.238.41.40   000a-eb97-3aa2
arp static 219.238.41.43   000a-eb9a-f160
arp static 219.238.41.36   000a-eb9a-0f3b
arp static 219.238.41.37   000a-eb9a-f0e8
arp static 219.238.41.41   000a-eb97-8fe5
arp static 219.238.41.42   000a-eb97-38fd
arp static 219.238.41.38   000a-eb97-8f36
arp static 219.238.41.39   000a-eb9a-f151
arp static 219.238.41.34   000a-eb96-a7ea
arp static 219.238.41.35   000a-eb97-8fe6
arp static 219.238.41.95   000a-eb27-d5ef
arp static 219.238.41.88   000a-eb27-fed6
arp static 219.238.41.89   000a-eb27-e8b0
arp static 219.238.41.90   00e0-8c49-02b1
arp static 219.238.41.91   000a-eb1c-6b04
arp static 219.238.41.84   000a-eb27-e6e4
arp static 219.238.41.85   000a-eb27-eefa
arp static 219.238.41.86   000a-eb28-029f
arp static 219.238.41.87   000a-eb27-e86b
arp static 219.238.41.80   000a-eb97-38b7
arp static 219.238.41.81   000a-eb27-ff7e
arp static 219.238.41.82   000a-eb27-e633
arp static 219.238.41.83   000a-eb4f-4f0c
arp static 219.238.41.76   000a-eb4f-5c06
arp static 219.238.41.77   000a-eb28-0088
arp static 219.238.41.78   000a-eb28-0a26
arp static 219.238.41.79   000a-eb27-feda
arp static 219.238.41.72   000a-eb4f-54a6
arp static 219.238.41.73   000a-eb28-02fb
arp static 219.238.41.74   000a-eb27-fdf6
arp static 219.238.41.75   000a-eb4f-6d80
arp static 219.238.41.68   000a-eb28-002b
arp static 219.238.41.69   000a-eb27-fef4
arp static 219.238.41.70   000a-eb28-024a
arp static 219.238.41.71   000a-eb27-e954
arp static 219.238.41.64   000a-eb27-d52d
arp static 219.238.41.65   000a-eb4f-544b
arp static 219.238.41.66   000a-eb28-02ed
arp static 219.238.41.67   000a-eb27-ff9b
arp static 219.238.41.120  0004-614e-845b
arp static 219.238.41.121  0004-614e-8b54
arp static 219.238.41.116  0004-614e-93e2
arp static 219.238.41.117  0004-614d-e222
arp static 219.238.41.118  0004-614e-8ec3
arp static 219.238.41.119  0004-614e-8222
arp static 219.238.41.113  0004-614e-8415
arp static 219.238.41.114  0004-614e-83bf
arp static 219.238.41.115  0004-614e-9663
arp static 219.238.41.108  0004-614e-830d
arp static 219.238.41.109  0004-614e-84a3
arp static 219.238.41.110  0004-614e-84a5
arp static 219.238.41.111  0004-614e-a842
arp static 219.238.41.104  0004-614e-9849
arp static 219.238.41.105  0004-614e-80f5
arp static 219.238.41.106  0004-614e-81ce
arp static 219.238.41.107  0004-614e-8664
arp static 219.238.41.100  0004-614e-80e9
arp static 219.238.41.101  0004-614e-8270
arp static 219.238.41.102  0004-614e-984d
arp static 219.238.41.103  0004-614e-81e2
arp static 219.238.41.97   000a-eb9b-5c98
arp static 219.238.41.98   000a-eb9a-bbef
arp static 219.238.41.99   0004-614d-e25e
arp static 219.238.41.156  000a-eb1c-6b63
arp static 219.238.41.157  000a-eb4e-8cac
arp static 219.238.41.159  000a-eb1c-6d17
arp static 219.238.41.152  000a-eb4e-8cac
arp static 219.238.41.153  0009-ca0b-802f
arp static 219.238.41.155  000a-eb17-fcde
arp static 219.238.41.151  0009-ca0b-5990
arp static 219.238.41.143  000a-eb1c-7022
arp static 219.238.41.128  000a-eb1c-6b9a
arp static 219.238.41.205  0000-e8f1-5f30
arp static 219.238.41.96   0001-29d1-e1a5
arp static 219.238.41.92   0030-f19a-01a5
arp static 219.238.41.93   000a-eb26-c85a
arp static 219.238.41.94   0001-29d1-e1a4
arp static 219.238.41.32   0000-e87e-1e94
arp static 219.238.41.33   0000-e87e-2766
arp static 219.238.41.122  0004-614e-8b54
arp static 219.238.41.112  0004-614e-829e
arp static 219.238.41.125  0020-ed5e-6fa4
#
ip route-static 0.0.0.0 0.0.0.0 192.168.168.237 preference 60
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme

如上是我的配制 在那里添加

网络工程师到底该不该去考CCIE认证?
2008-2-24 21:084楼
[ 顶部 ]
 
小侠唐在飞
助理工程师  点击可查看详细


诚信兄弟  
帖子 1537
精华 2
无忧币 2336
积分 1809
阅读权限 40
来自 (保密)
注册日期 2006-6-15
最后登录 2008-5-20 离线

[查看资料]  [发短消息]  [Blog
[个人主页]    QQ       
发表于:2008-2-25 01:02  ,被系统奖励 4 点无忧币
acl number 3001
rule 0 deny tcp destination-port eq 135
rule 1 deny tcp destination-port range 137 139
rule 2 deny tcp destination-port eq 445
rule 3 deny tcp destination-port range 4444 4445
rule 4 deny tcp destination-port eq 539
rule 5 deny tcp destination-port eq 593
rule 6 deny tcp destination-port eq 1025
rule 7 deny tcp destination-port eq 6969
rule 8 deny tcp destination-port eq 9696
rule 9 deny tcp destination-port eq 9996
rule 10 deny tcp destination-port eq 707
rule 11 deny tcp destination-port range 6881 6889
rule 12 deny tcp destination-port range 8881 8889
rule 13 deny tcp destination-port eq 10137
rule 14 deny tcp destination-port eq 16881
rule 15 deny udp destination-port eq 16881
rule 16 deny udp destination-port eq 10137
rule 17 deny udp destination-port range 6881 6889
rule 18 deny udp destination-port range 8881 8889
rule 19 deny udp destination-port eq 1025
rule 20 deny udp destination-port eq 9696
rule 21 deny udp destination-port eq 6969
rule 22 deny udp destination-port range 4444 4445
rule 23 deny udp destination-port range netbios-ns netbios-ssn
rule 24 deny udp destination-port eq 135


看到这条了吧,
这条的意思,就是禁止内网的主机访问外网的特定端口。。。
原理一样。现有的是限制访问目标主机的端口,destination-port
如是你只是想限制访问IP的话,增加一条限制的地址就行了。destination
rule   deny  ip  destination 202.108.9.30

华为的ACL最后隐藏了一条允许所有通过。。
因此你只需要把禁止的列在这里就行了。。

【欢迎访问小侠唐在飞技术博客http://xiaoxia.blog.51cto.com】
2008-2-25 01:025楼
[ 顶部 ]
 
worflp
新新人类  点击可查看详细



帖子 55
精华 0
无忧币 69
积分 55
阅读权限 20
注册日期 2008-2-20
最后登录 2008-4-15 离线

[查看资料]  [发短消息]  [Blog
       
发表于:2008-2-28 09:45  ,被系统奖励 4 点无忧币
有域名过滤的话,直接填加规则就好,应该很直观简单,如果没有,首先nslookup解析出该网站的IP,做ACL防火墙规则,源地址内网所有机器,源端口任意,目的地址填写IP,目的端口任意,就OK了,宽带路由器都差不多模式。

网络工程师到底该不该去考CCIE认证?
2008-2-28 09:456楼
[ 顶部 ]
     
论坛跳转:  

| | |
| | |
| | |
标记已读 · 删除论坛Cookies · 文本版 · WAP
 
| 诚征版主 | 版主堂 | 意见建议 | 大史记 | 论坛地图
Copyright©2005-2008 51CTO.COM  Powered by Discuz!
本论坛言论纯属发布者个人意见,不代表51CTO网站立场!如有疑义,请与管理员联系。
京ICP备05051492号