Configuring IP ACLs for Restricting Access to Resources (CTPView Server Menu)
An access control list (ACL) is a sequential collection of permit and deny conditions that you can use to filter inbound or outbound routes. You can use different kinds of access lists to filter routes based on The router compares each route's IP address against the conditions in the list, one-by-one. If the first match is for a permit condition, the route is accepted or passed. If the first match is for a deny condition, the route is rejected or blocked. The order of conditions is critical because testing stops with the first match. If no conditions match, the router rejects or blocks the address; that is, the last action of any list is an implicit deny condition for all routes.
You can define an access list to permit or deny routes on the basis of the IP address or the range of IP addresses. Each access list is a set of permit or deny conditions (based on how they match a route's address) for a route. A zero in the wildcard mask means that the corresponding bit in the address must be exactly matched by the route. A one in the wildcard mask means that the corresponding bit in the address does not have to be matched by the route. You can also specify a range of IP addresses, by entering the starting IP address and the ending IP address in the range separated by a hyphen (-), if you want to enable or disallow traffic from a set of IP addresses.
We recommend that you modify the IP ACLs during periods of relatively low traffic to minimize network disruptions and outages in processing packets.
Before you begin, log in to the CTPView server and access the CTPView Configuration Menu. See Accessing the CTPView Server Configuration Menu (CTPView Server Menu).
You cannot use an SSH application to access the CTPView server until you have configured the server in your network and assigned it an IP address. See Configuring the Network Access (CTPView Server Menu).
To add, remove, or display IP ACLs:
- From the CTPView Configuration Menu, select 6) PostgreSQL Functions.
- Select 6) IP ACL Function.
The IP ACL Function menu is displayed, which enables you to create
a new ACL, delete a previously configured ACL, and view all the ACLs
configured on your CTP device.
CTPView Configuration Menu Please choose a menu item from the following list: 0) Exit CTPView Configuration Menu 1) Security Profile 2) System Configuration 3) Port Forwarding 4) Advanced Functions 5) Backup Functions 6) PostgreSQL Functions 7) CTPView Access Functions 8) GRUB Functions 9) AAA Functions Please input your choice [0]: 6 ************************************************************ CTPView version 7.2R1-rc3 151120 Server: ctpview Date: Mon Dec 7 06:00:20 2015 Release: CentOS release 5.11 (Final) Kernel: 2.6.18-406.el5 User root logged in from 10.215.150.11 as root +++++ ALL ACTIONS ARE LOGGED +++++ ************************************************************ PostgreSQL Menu Please choose a menu item from the following list: 0) Return to previous menu 1) Change PostgreSQL Administrator password 2) Change PostgreSQL Apache password 3) Restart PostgreSQL Server 4) Initialize Web UI Template Accounts 5) IP ACL Function 6) Upgrade Database Structures Please input your choice [0]: 5 ************************************************************ CTPView version 7.2R1-rc3 151120 Server: ctpview Date: Mon Dec 7 06:00:23 2015 Release: CentOS release 5.11 (Final) Kernel: 2.6.18-406.el5 User root logged in from 10.215.150.11 as root +++++ ALL ACTIONS ARE LOGGED +++++ ************************************************************ IP ACL Function Menu Please choose a menu item from the following list: 0) Return to previous menu 1) Add 2) Remove 3) Show Please input your choice [0]: 1 Enter the IP or IP range[e.g 10.0.1-23.*]: 1.2.3.4 Specify the permission 0) Deny 1) Allow Please input your choice [0]: 0 IP range/ IP address added successfully... Hit return to continue...
- Select 1) Add
- Follow the onscreen instructions and configure the options
as described inTable 1.
Table 1: Creating an IP ACL
Field Function Your Action Enter the IP or IP range [e.g 10.0.1-23.*]
Specifies the IP address or a pool of IP addresses from which you want to enable or disallow traffic.
Specify an IP address in the format a.b.c.d/xx, where xx is the subnet prefix, or an IP address range in the format of starting-address - ending -address, with the starting and ending IP addresses separated by a hyphen (-).
Specify the permission
Specifies whether you want to enable or deny traffic from the specified IP address or range of addresses.
Select 0) Deny to cause the CTP device to drop traffic arriving from the specified IP address.
Select 1) Allow to cause the CTP device to allow traffic arriving from the specified IP address.
Specify rtn to set the interface that is prompted by the system to be specified as the default IPv4 circuit device. For example, if the prompt displays (rtn for eth1), and if you specify rtn, eth1 is set as the default circuit device.
- Press Enter to proceed to the next step of removing any of the configured IP ACLs. The IP ACL Function menu is displayed.
- Select 2) Remove. The IP address
ranges or IP addresses for which you previously configured ACLs are
displayed.
************************************************************ CTPView version 7.2R1-rc3 151120 Server: ctpview Date: Mon Dec 7 06:01:04 2015 Release: CentOS release 5.11 (Final) Kernel: 2.6.18-406.el5 User root logged in from 10.215.150.11 as root +++++ ALL ACTIONS ARE LOGGED +++++ ************************************************************ IP ACL Function Menu Please choose a menu item from the following list: 0) Return to previous menu 1) Add 2) Remove 3) Show Please input your choice [0]: 2 Current listing of IP range : 0) Return to previous menu 1) *.*.*.* 2) 1.2.3.4 3) 78.34.3.2 Please input your choice [0]:2 IP range/ IP address removed successfully... Hit return to continue...
- From the list of IP addresses displayed, select a number
pertaining to your choice. Enter the number next to the Please
input your choice [0] field. If you select 0, you are returned to the previous menu.
After you enter a number pertaining to your choice in the menu, a confirmation message is displayed stating that the selected IP address or range is successfully deleted.
- Press Enter to proceed to the next step of viewing all the configured IP ACLs. The IP ACL Function menu is displayed.
- Select 3) Show. All the configured
IP addresses and their corresponding permissions are displayed. The
access modifier or permission of 1 denotes permit, and 0 denotes deny.
************************************************************ CTPView version 7.2R1-rc3 151120 Server: ctpview Date: Mon Dec 7 06:01:14 2015 Release: CentOS release 5.11 (Final) Kernel: 2.6.18-406.el5 User root logged in from 10.215.150.11 as root +++++ ALL ACTIONS ARE LOGGED +++++ ************************************************************ IP ACL Function Menu Please choose a menu item from the following list: 0) Return to previous menu 1) Add 2) Remove 3) Show Please input your choice [0]: 3 All database entries: +-----------+------------+ | iprange | permission | +-----------+------------+ | *.*.*.* | 1 | | 78.34.3.2 | 0 | +-----------+------------+ Hit return to continue...