禁止非法主机链接

对于在CSV文件中登录过的主机分配IP地址并允许访问互联网,屏蔽非法主机接入的设定例。

使用本设定例中的Lua脚本、可利用MAC地址过滤功能发出的log进行监视。
将log中的被检测的MAC地址,与CSV文件中的记录做比较,只有CSV文件中登录过的MAC地址,才用DHCP分配IP地址。
CSV文档中没有登录过该MAC地址时、关闭此主机连接的SWX2200的端口。

在CSV文档中记录允许访问的主机的主机名,和MAC地址。如下所示,1行记录1个主机。
并且、可以用lua脚本的设定值filename来指定该CSV文件

  • CSV文档记录例
    • (主机名1),XX:XX:XX:XX:XX:01
    • (主机名2),XX:XX:XX:XX:XX:02

RTX1200的设定例

以太网过滤的设定

ethernet filter 1 pass-nolog *:*:*:*:*:* 01:a0:de:00:e8:13 0 e8,12
ethernet filter 2 pass-nolog dhcp-bind 1
ethernet lan1 filter in 1 2

LAN接口的设定
(使用LAN1端口)

ip lan1 address 192.168.100.1/24

WAN的接口设定
(使用LAN2端口)

pp select 1
pp always-on on
pppoe use lan2
pp auth accept pap chap
pp auth myname(连接ISP的ID) (连接ISP的密码)
ppp lcp mru on 1454
ppp ipcp ipaddress on
ppp ipcp msext on
ip pp mtu 1454
ip pp nat descriptor 1
pp enable 1
ip route default gateway pp 1

NAT的设定

nat descriptor type 1 masquerade

DHCP的设定

dhcp service server
dhcp server rfc2131 compliant except remain-silent
dhcp scope lease type 1 bind-only
dhcp scope 1 192.168.100.2-192.168.100.191/24

DNS的设定

dns server(由ISP指定的DNS服务器的IP地址)
dns private address spoof on

SWX2200的设定

switch control use lan1 on

SYSLOG的设定

syslog notice on

策略过滤的设定 ip policy interface group 101 name=Private local lan1
ip policy address group 101 name=Private 192.168.100.0/24
ip policy address group 102 name=Any *
ip policy service group 101 name="Open Services"
ip policy service group 102 name=General dns
ip policy service group 103 name=Mail pop3 smtp
ip policy service group 104 name=IPsec ike esp
ip policy filter 1100 reject-nolog lan1 * * * *
ip policy filter 1110 pass-nolog * * * * 102
ip policy filter 1122 static-pass-nolog * lan1 * * *
ip policy filter 1123 static-pass-nolog * local * * *
ip policy filter 1124 static-pass-log * * 192.168.100.0/24 * http
ip policy filter 1130 pass-nolog * tunnel* * * *
ip policy filter 1140 pass-nolog * pp1 * * *
ip policy filter 1520 pass-log * lan1 * * 101
ip policy filter 1530 static-pass-nolog * local * * 104
ip policy filter 1600 reject-nolog tunnel* * * * *
ip policy filter 1630 pass-nolog * tunnel* * * *
ip policy filter 1640 pass-nolog * local * * *
ip policy filter 1650 pass-nolog * lan1 * * *
ip policy filter 1680 reject-nolog * pp* * * *
ip policy filter 1700 pass-nolog local * * * *
ip policy filter 1710 static-pass-nolog * lan1 * * *
ip policy filter 1750 static-pass-nolog * pp* * * 104
ip policy filter 2000 reject-nolog * * * * *
ip policy filter set 101 name="Internet Access" 1100 [1110 1123 [1124] 1122 1140 1130] 1500 [1520 1530] 1600 [1640 1650 1680 1630] 1700 [1710 1750] 2000
ip policy filter set enable 101
Lua脚本的日程设定

schedule at 1 startup * lua /swx2200_lua_pc_check_rtx1200.lua

Lua脚本例

设定值

-- 允许接入的PC名单的文件名(使用绝对路径指定)
filename = "/pc_list.csv"
-- 输出的SYSLOG的等级(info, debug, notice)
log_level = "info"
-- 要检出的SYSLOG的字符串格式
ptn = "Rejected at IN%(default%) filter"
-- 检测MAC地址的字符串格式
mac_ptn = "%x%x:%x%x:%x%x:%x%x:%x%x:%x%x"

主机搜索

function search_host(mac)
local sw_route, route, port
rtn, str = rt.command("show status switching-hub macaddress " .. mac)
port = string.match(str, "port (%d):")

  if (port) then
route = "LAN1:" .. port
else
rtn, str = rt.command("show arp lan2")
if (string.match(str, mac)) then
route = "LAN2"
else
rtn, str = rt.command("show arp lan3")
if (string.match(str, mac)) then
route = "LAN3"
end
end
end

  if (not route) then
return
end

  while true do
rtn, str = rt.command("switch control function get status-macaddress-addr " ..
mac .." " .. route)
if (rtn) and (str ~= "0 entry\r\n") then
port = string.match(str, "(%d+)")
sw_route = route
route = route .."-" ..port
else
break
end
end
return sw_route, port
end

屏蔽非法PC的接入端口

function port_shutdown(mac)
sw_route, port = search_host(mac)
if (sw_route) and (port) then
rt.command("switch select " .. sw_route)
rtn, str = rt.command("switch control function set port-use " .. port .." off")
if (rtn) then
rtn, str = rt.command("switch control function get system-name " .. sw_route)
name = string.match(str, "(.-)\r\n")
if (name) then
rt.syslog(log_level, "port shutdown ".. name .." : port " .. port)
else
rt.syslog(log_level, "port shutdown ".. sw_route .." : port " .. port)
end
else
rt.syslog(log_level, "port shutdown error (".. str ..")")
end
end
end

主程序

local bind = {}

-- 正规PC的登录
local fh, estr, ecode
fh, estr, ecode = io.open(filename, "r")

if (not fh) then
rt.syslog(log_level, "file open error (".. estr ..")")
else
for line in fh:lines() do
mac = string.match(line, mac_ptn)
if (mac) then
rt.command("dhcp scope bind 1 * ethernet " .. mac)
table.insert(bind, mac)
end
end
io.close(fh)
end

-- 连接PC的监视
local rtn, str, bmac, hit

while (true) do
rtn, str = rt.syslogwatch(ptn)
mac = string.match(str[1], mac_ptn)
if (mac) then
for i, bmac in ipairs(bind) do
hit = string.match(mac, bmac)
if (hit) then
break
end
end
if (not hit) then
port_shutdown(mac)
else
rt.syslog(log_level, "bind table match ".. mac)
end
end
end

返回顶部Return to Top

网络相关产品

服务支持

事业绍介